yourJoading  dock.  Do  you 


ruary  2008  $9.00  www.csoonline.com 


'  r*7? 

■  1  Mi 

| 1  1 

M&;  «*»■ 

Bn.  — jjsra 

.INFRASTRUCTURE  LOG 

_DAY  82:  There  are  so  many  risks  out  there.  So  many  things 
that  can  happen  to  our  business:  natural  disasters,  spikes 
in  traffic,  mergers.  How  do  we  prepare?  One  in  three 
companies  don’t  recover  from  unplanned  downtime.1  Would  we? 

_Gil  has  wrapped  everything  in  the  office  with  bubble  wrap. 
Everything.  Just  to  be  safe. 

_DAY  83:  Im  preparing  with  IBM  Business  Resilience  Solutions. 
IBM  Business  Continuity  Services  can  help  us  assess  our  risks 
and  design  a  proactive  plan  to  deal  with  them.  IBM  Tivoli  gives  us 
the  visibility  to  diagnose  and  fix  infrastructure  problems. 

And  the  robust  availability  features  of  the  IBM  System  p™  give 
us  maximum  uptime.  The  future  feels  so  much  safer  now. 

_No  more  bubble  wrap.  And  I  have  to  mail  a  package.  Great. 


Take  the  business  continuity  assessment  at: 

IBM.COM/TAKEBACKCONTROL/READY 


February  2008  Vol.  7,  No.  l 


Features... 


22  The  Paper  Chain 

Cover  Story  |  Document  Security 

Learn  how  your  sensitive  records  can 
get  from  dank,  dusty  basement  to 
cavernous,  temperature-controlled 
storage  facility  without  incident. 

By  Scott  Berinato 

28  The  Future  of 
Antivirus 

Antivirus  As  signatures  proliferate, 
antivirus  vendors  must  ramp  up  other 
techniques  for  spotting  and  squashing 
malware.  By  Michael  Fitzgerald 

32  How  to  Communi¬ 
cate  With  Your  CEO 
About  Security 

Leadership  Former  Sharper  Image 
CEO  Richard  Thalheimer  and  CSO 
Joe  Williams  talk  about  how  a  close 
reporting  relationship  helped  them 
reduce  fraud  and  prioritize  risks. 

By  Katherine  Walsh 


Also  Inside... 


I 

4  From  the  Editor 

6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  debate  the 
merits  of  OpenID  and  social 
networking. 

10  Toolbox 

Patching  the  Holes  in  Web 
Applications  Specialized 
application  penetration 
testing  tools  and  services 
can  help  keep  websites  from 
aiding  hackers  and  malware. 
ByMaryBrandel 

15  Briefing 

The  next  big  browser  exploit; 

7  rules  employees  love  to 
break;  Phone  pranks  gone 
evil;  Security  perks  for  CEOs; 
Verizon,  Time  Warner  execs 
recognized;  How  to  respond 
to  a  data  breach  disclosure; 
The  ERP  security  challenge 


36  The  Day  After  the 
Deputy  CISO  Left  Work 
on  a  Gurney 

Undercover  Planning  for 
the  unexpected  absence 
of  key  staff  members. 

38  Operation  Combination 
Industry  View  Looking 
for  cost  savings  and  better 
security?  Merging  network 
and  security  operation 
centers  could  deliver. 
ByYong-Gon  Chon  and 
Bill  Jaeger 

40  Debriefing 

Keys  to  the  Castle 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.0.  Box  9208,  Framingham,  MA  01701-9208.  Periodical 
Postage  Rate  at  Framingham,  MA  01701,  and  at  additional  mailing  offices.  Copyright  2008  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission. 
Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific  clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy 
of  the  article  is  paid  directly  to  Copyright  Clearance  Center.  222  Rosewood  Drive,  Danvers.  MA  01970.  www.copyrighr.com.  Please  specify:  ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed 
articles— followed  by  this  symbol:  J.  Address  inquiries  to  CSO,  P.0.  Box  3482,  Northbrook,  ll  60065;  866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the  one-year  basic  rate  is  $70  for  the 
United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.5.  and  Canada  and  $15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to 
begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  February  2008 


Cover  photo  by  Webb  Chappell 


What  can 


do  for  you? 


•  Strengthen  your 
personal  network. 

•  Enhance  your  skills 
and  knowledge. 

•  Develop  your  leadership 
abilities  and  earn 
credentials. 

•  Unlock  Doors  to  new 

career  and  business 
opportunities. 


Stay  on  Top  of  current 
events  and  emerging  trends. 

Unleash 
the  Power  of 


Visit 
call 


[  FROM  THE  EDITOR] 


Good  Company 

Your  security  department  is  itself  a  smalt 
company. 

It  needs  to  make  great  products 
and  services,  whether  that  means  great 
investigations,  great  network  perimeter 
defenses,  great  loss  prevention  processes  and 
systems,  or  all  that  and  more.  But  great  secu¬ 
rity  stuff  is  not  enough.  Not  even  close. 

Your  department-like  any  company-also 
needs  to  handle  administrative  functions, 
finance  and  operations  in  the  most  efficient 
way  possible.  Documentation.  Scheduling. 
Project  management.  Metrics.  Budgeting. 

It  needs  to  innovate,  so  it  must  have  a 
research  and  development  branch.  You  can’t 
just  rely  on  the  same  processes  and  systems 
year  after  year,  not  when  bad  guys’  tactics 
evolve  rapidly  and  advances  in  technology 
offer  to  change  the  value  equation  of  your  ser¬ 
vices  at  various  unpredictable  points  in  time. 

It  has  a  human  resources  element.  Hiring, 
developing,  evaluating,  promoting,  firing. 

Your  department  needs  a  great  sales  and 
marketing  arm.  Not  everyone  in  the  wider 
organization  will  immediately  recognize  the 
excellence  of  what  you  do.  You  have  to  sell  it 
to  them.  Persuade  them  of  the  benefit  you’re 
providing-in  their  terms.  I  know  some  excep¬ 
tional  “idea  men”  who  struggle  to  get  others 
to  buy  into  their  ideas.  So  like  it  or  not,  good 
ideas  alone  are  not  enough.  Sales  and  market¬ 
ing  are  key  skills  in  just  about  any  profession. 


For  some  of  you,  this  is  a  particularly  inter¬ 
esting  challenge  because  you  are  the  entire 
department.  You  have  to  serve  as  the  CEO,  CFO, 
salesperson,  HR  manager  and  much  more  for 
your  security  function.  Others  have  a  copilot  or 
three,  but  that  still  means  every  person  in  the 
group  wears  a  lot  of  hats,  holds  down  multiple 
responsibilities.  And  each  person  needs  a  lot 
of  different  types  of  skills  that  aren’t  specifi¬ 
cally  “security”  skills. 

Most  especially,  you  need  a  lot  of  different 
skills. 

That’s  part  of  the  thinking  that  brought  us 
to  the  theme  of  our  annual  conference  this 
year:  CSO  Perspectives,  held  March  16-18  at 
Atlanta’s  InterContinental  Buckhead.  (See 
www.csoonline.com/conferences  for  details.) 
And  that’s  why  the  agenda  includes,  among 


other  things,  a  dynamic  half-day  interac¬ 
tive  workshop  on  presenting  to  the  Board  of 
Directors. 

What  is  the  “company  function”  in  which 
you  most  need  personal  improvement?  Is 
it  marketing?  HR?  R&D?  What  personal 
skills-development  goals  have  you  set  for  this 
year-and  how  can  our  conference,  magazine 
and  website  serve  those  goals?  Drop  me  a  line. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Managing  Editor  Sarah  D.  Scalet 
Staff  Writer  Katherine  Walsh 
Copy  Chief  Dave  Gradijan 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 
Jill  Paquette 

Contributors  Mary  Brendal, 
Kathleen  S.  Carr,  Yong-Gon  Chon, 
Rick  Cook,  Michael  Fitzgerald, 

Bill  Jaeger,  Robert  McMillan 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Meridith  Levinson,  Shawna  McAlearney, 
Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  BOX  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


1  n  c. 


INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 

Bob  Carrigan 


/?BPA 


WORLDWIDE" 


4  www.csoonline.com 


February  2008 


Photo  by  Webb  Chappell 


Vance  Uniformed  Protection  is  no 

A  new  name  for  the  security  team  you  kno 


Garda 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Rigorous  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements 
yield  consistent,  reliable  services  that  reduce  risk  and  deter  criminal 
activity.  Now  part  of  Garda,  Vance  Uniformed  Protection  continues 
to  deliver  unsurpassed  value,  maximizing  client  budgets  by  offering 
superior  security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women — 
from  the  company's  seasoned  management  team  to  its  experienced 
security  officers— provide  exceptional  value  and  service  with  a 
total  commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs  and  the  same 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


GARDA 

FORMERLY  VANCE 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgrade  your  security  program,  gardasecurity.com 


[  FROM  THE  PUBLISHER  ] 


Meeting 
Security  on 
Facebook 

Do  social  networking  sites  scare  you  as 
much  as  they  scare  me?  When  I  see  the 
types  of  things  that  some  people  put 
on  their  MySpace  or  Facebook  pages, 

I  cringe  and  remind  myself  to  keep  an  eye  on 
what  my  daughter  is  doing  online. 

That  being  said,  this  is  not  something  that  I 
can  ignore  when  it  comes  to  my  day  job  at  CSO. 

For  the  past  five  years,  CSO  has  been 
looking  for  new  and  innovative  ways  to  help 
security  leaders  connect  and  share  best  prac¬ 
tices  and  knowledge  in  a  safe  environment. 
Primarily,  we  have  done  this  through  our  live 
events,  like  the  upcoming  CSO  Perspectives 
Conference  being  held  this  March  16-18  in 
Atlanta  ( www.CSOPerspectives.com ).  Events 
where  you  can  all  gather,  learn  and  share  with 
your  peers  to  become  better  security  leaders. 
We’ve  also  been  looking  for  innovative  ways 
to  extend  the  value  of  our  live  events  to  those 
who  attend  them.  Despite  my  trepidations 
about  Facebook,  I  think  it  may  be  an  answer 
we  have  been  searching  for. 

Last  month,  CSO  launched  the  CSO  group 
on  Facebook  in  addition  to  adding  groups 
around  a  number  of  our  events.  We  have  been 
slowly  populating  the  CSO  group  with  content 
and  members,  and  as  our  numbers  grow,  it  will 
be  interesting  to  see  how  its  use  evolves. 


In  many  ways  I  feel  as  though  I  just  stepped 
out  of  a  time  machine.  Despite  the  fact  that  I 
have  spent  the  past  15  years  addressing  tech¬ 
nology  issues  and  consider  myself  somewhat 
of  an  expert,  I  pretty  much  missed  the  emer¬ 
gence  of  today’s  social  networking  environ¬ 
ments.  I  am  aware,  however,  of  the  concerns 
that  many  of  you  share  about  the  types  of  risks 
these  can  pose  to  your  organizations.  As  the 
old  saying  goes,  “Keep  your  friends  close  and 
your  enemies  closer.”  There  is  no  better  way 
to  learn  about  these  sites  than  to  participate 
in  them. 

Check  out  the  CSO  group  on  Facebook  at 
http://www.facebook.com/group.  php?gid= 
9524595762,  or  go  to  Facebook.com  and 
search  for  “CSO”  under  Groups.  You’ll  need  to 
be  registered  on  Facebook  to  get  to  the  group 


and  then  you’ll  need  to  request  permission  to 
join.  Those  requests  will  come  directly  to  me 
and  I’ll  add  you  to  the  group.  Let  us  know  how 
we  can  improve  what  we  do  there. 

- BobBragdon ,  bbragdon@cxo.com 


Advertiser  Index 


ASIS  International  . 3 

BigFix  Inc . 17 

CXO  Media  Inc . 19, 35, 39 

Garda . 5 

HID  Corp . C3 


IBM  Corp . C2 

ISACA . 7 

Novell  Inc . 14 

RSA  Security  Inc . C4 

SecureWorks . ll 


Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialist 
Valerie  Sumner 
Online  Advertising  Specialist 
Irina  Gabechiia 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 
Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 

Per  Melker 

Senior  Conference  Producer 
Judith  Kittredge 
Event  Planner  Sarah  Reagan 
Event  Coordinator  Bethany  Whiffin 
Registration  Specialist  Cress  O’Brien 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponetSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460  ext.  150, 
csodithevgsgroup.com 


6  www.csoonline.com  February  2008 


Photo  by  Christopher  Navin 


CISA 

Certified  Information  Systems  Auditor1” 

CISM 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


Exam  Registration:  9  April  2008 
Exam  Date:  1 4  June  2008 


www.isaca.org/csomag 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Is  It  Time  for 
CSOs  to  Pay 
Attention  to 
Open  ID? 

Eric  Norlin  examines  its 
future,  and  its  security 

The  announcement  that  Yahoo 
is  embracing  OpenID  has  me 
wondering  if  it’s  time  for  CSOs 
to  start  paying  attention. 

OpenID  is  now  undeniably 
gaining  momentum  as  measured  in  terms 
of  number  of  accounts  and  large,  consumer¬ 
facing  Internet  companies  supporting  the 
protocol.  It  would  seem  that  OpenID  is 
on  its  way  to  becoming  a  “standard”  for 
Internet  identity  (“seem”  being  the  opera¬ 
tive  word).  But  still,  does  that  mean  diddly- 
squat  for  the  modern-day  CSO? 

Michael  Barrett,  CISO  for  PayPal  and  ex¬ 
president  of  the  Liberty  Alliance,  has  com¬ 
pared  the  security  of  the  OpenID  protocol  to 
“handing  a  child  scissors  and  telling  them 
to  run  around  the  yard.”  And  a  comment 
like  that  certainly  makes  an  enterprise-side 
person  stop  and  think  twice.  But  if  that’s 
the  case,  then  why  are  Google,  Yahoo,  AOL 
and  others  supporting  this  protocol?  I  can 
feel  CSOs  everywhere  sitting,  waiting  to  see 
if  a  major  security  breach  happens  over  the 
next  year. 

Either  way,  though,  I  would  think  that 
every  CSO  who’s  working  on  identity 
should,  at  the  very  least,  get  up  to  speed  on 
what  OpenID  is  bringing  to  the  table. 


BLOG  POST 

Social 

Networking 
Sites = Social 
Engineering 
Bonanza? 

Michael  Overly  warns  of  workers 
disclosing  company  info 

THIS  ENTRY  WAS  prompted  by  a  recent 
CareerBuilder.com  study  that  showed, 
among  other  things,  63  percent  of  employ¬ 
ers  who  reviewed  applicants’  social  net¬ 
working  profiles  decided  not  to  hire  them 
based  on  what  was  discovered  in  those  pro¬ 
files.  Reading  this,  it  occurred  to  me  to  take 
a  random  walk  through  some  of  the  social 
networking  sites,  including  personal  blogs, 
to  get  a  feel  for  the  type  of  information  avail¬ 
able.  In  taking  that  walk,  I  used  several  new 
search  engines  that  focus  on  these  types  of 
sites:  Pipl.com,  PeekYou.com,  Wink.com 
and  Spock.com.  The  point  of  my  research 
was  to  see  what,  if  any,  information  was 
available  through  these  sites  that  would 
be  of  use  to,  say,  a  social  engineer.  What  I 
found  greatly  surprised  me. 

These  sites,  particularly  employee  blogs, 
provided  an  amazing  range  of  information 
that  could  easily  be  exploited  by  a  social 
engineer  in  gaining  access  to  an  employer’s 
systems  and  data.  Employees  freely  talked 
about  their  supervisors  by  name,  the  build¬ 
ings  they  work  in,  their  coworkers  and  even 
the  projects  they  were  working  on.  To  my 
surprise,  there  was  also  much  information 


regarding  the  specifics  of  their  employ¬ 
ers’  business  plans,  products  and  services. 
Some  of  this  information  seemed  clearly  to 
be  confidential  to  the  business,  even  consti¬ 
tuting  trade  secrets.  It  occurred  to  me  that 
a  potential  hacker  would  not  even  need 
to  engage  in  social  engineering,  but  only 
review  the  relevant  sites  to  obtain  valu¬ 
able  information  about  the  companies  the 
hacker  was  targeting. 

While  businesses  cannot,  in  general, 
legally  control  the  information  employees 
post  on  these  sites,  they  can  emphasize  to 
employees  their  contractual  obligations  to 
protect  and  preserve  the  confidentiality  of 
the  business’s  information  and  to  sensitize 
employees  about  the  risks  of  posting  com¬ 
pany-specific  information  on  public  forums. 


8  www.csoonline.com  February  2008 


Photo  by  istockphoto 


Given  the  exponential  growth  of  network¬ 
ing  sites  and  blogs,  businesses  should  con¬ 
sider  implementing  training  on  these  issues 
as  soon  as  possible.  At  minimum,  it  would 
be  time  well  spent  to  invest  a  few  hours  one 
afternoon  running  your  company  name 
through  these  search  engines.  The  results 
may  surprise  you. 

BLOG  POST 

Top  10  Reasons 
You  As  a  CISO 
Will  Resign 
in  2008 

Jeff  Bardin  suggests  some 
intriguing  career-shift  options 

10.  YOU  HAVE  to  ask  everybody  in  the 
organization— all  umpteen  thousand  of 
them— to  buy  into  your  ideas. 

9.  The  opportunity  to  be  tied  in  a  leather 
bag  with  ravenous,  rabid  ocelots  caught 
your  eye  on  Monster.com. 

8.  Your  sincere  hope  that  the  reptilian 
extraterrestrial  tyrants  who  clandestinely 
own  and  operate  IT  would  reveal  them¬ 
selves  during  your  tenure  does  not  mani- 


MORE  ON  THE  WEB 


“The  consensus 
was  that  the 
fundamental 
problem  within 
the  department 
was  weak  and 
sometimes 
flawed 
leadership.” 

-Dr.  James  Giermanski, 
examining  U.S.  container 
security  policies  at  www2 
.csoonline.com/exclusives/ 
column.  html?CID=33447. 


fest  itself. 

7.  Seeing  as  this  situation  was  unlikely 
to  change  without  getting  a  full  frontal 
lobotomy,  you  are  forced  to  tender  your 
resignation. 

6.  Guantanamo  has  an  opening. 

5.  The  imminent  dissolution  of  civili¬ 
zation,  followed  by  a  period  of  universal 
suffering  and  despotic  rule  by  sociopathic 
passive-aggressives  over  feudal  minions 
who  spend  their  short,  brutal  lives  tending 
servers  in  a  fire-scarred  data  center,  forces 
you  to  move  on. 

4.  You  decide  to  become  a  professional 
pirate.  It  has  always  been  a  dream  of  yours 
to  live  the  life  of  a  swashbuckling  corsair, 
beholden  to  none  and  master  of  all  you  sur¬ 
vey.  Rrrrr. 

3.  You  decide  to  get  involved  in  the 
flinging  of  porcupines  between  oceango¬ 
ing  cargo  ships  and  the  shore  as  your  new 
career  path. 

2.  A  position  of  junior  goat  herder  in 
Mongolia  was  too  much  to  turn  down. 

l.  You  have  a  chance  to  star  in  the  remake 
of  The  Adventures  of  Buckaroo  Banzai  Across 
the  8th  Dimension  as  John  YaYa. 

COMMENT 

I  WOULD  HAVE  rewritten  number  10 
slightly: 

You  have  been  trying  to  tell  everyone  in 
the  organization— all  umpteen  thousand  of 
them— that  data  breaches  just  aren’t  an  IT 
standard  and  definitely  not  a  security  pol¬ 
icy.  You  want  to  get  out  before  “they”  sell 
you  their  ideas  about  security. 

-Anonymous 

COMMENT 

YOU  MISSED  THESE: 

■  It  has  become  apparent  to  you  that  your 
business’s  definition  of  “risk  manage¬ 
ment”  is  “getting  away  with  everything 
we  can  get  away  with  as  long  as  we  can 
without  being  stung  and  then  blaming 
it  on  an  ineffective  information  security 
program  when  we  get  caught  with  our 
pants  down.” 

■  Your  boss’s  solution  for  resolving  audit 
findings  is  to  revise  the  information 
security  policy  so  that  everyone  in  the 
company  will  be  compliant  by  default. 

■  It  dawns  on  you  that  being  curled  up  in 
the  fetal  position  in  the  corner  of  your 
office  is  something  that  you’d  just  as 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.csoonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Scott  Berinato,  Executive  Editor 

sberinato@cxo.com 

508  988-7587 

Sarah  Scalet,  Managing  Editor 

sscalet@cxo.com 

973 338-0059 

Katherine  Walsh,  Staff  Writer 

kwalsh@cxo.com 

508  988-6939 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com 


well  do  from  home  in  the  comfort  of 
your  own  bedroom. 

-Anonymous 


COMMENT 

THE  “RISK  MANAGEMENT”  comment  is 
dead-on!  I  deal  with  that  at  my  job  as  well.  A 
classic  case  of  creating  processes  to  pass  an 
audit  then  shelving  those  processes  because 
“it’s  over.”  Upper  execs  think  it’s  the  CISO’s 
job  to  execute  security  policy.  Everyone  else 
can  do  as  they  please.  If  something  goes 
wrong,  they  have  the  CISO  to  throw  to  the 
wolves. 

Am  I  cynical?  Sadly,  yes... 

Anonymous 


February  2008  www.csoonline.com  9 


TOOLS,  TECHNOLOGIES  AND  TACTICS 

By  Mary  Braudel 


Patching  the  Holes  in 
Web  Applications 

Specialized  application  penetration  testing  tools  and  services  can  help 
keep  websites  from  serving  as  a  front  door  for  hackers  and  malware 


Traditionally— if  such  a  word 
can  apply  to  the  rapidly  morph¬ 
ing  digital  world— companies 
have  protected  their  websites 
by  guarding  the  perimeter  with 
Web  firewalls.  However,  the  ever-growing 
realization  is  that  the  real  vulnerability  lies 
in  the  Web  applications  themselves,  which 
often  contain  easily  exploited  security  flaws. 
According  to  consultancy  Gartner,  90  per¬ 
cent  of  externally  accessible  applications 
today  are  Web-enabled,  and  two-thirds  of 
them  have  exploitable  vulnerabilities. 

That’s  where  Web  application  penetra¬ 
tion  testing  tools  and  services  come  in.  Diana 
Kelley,  VP  and  service  director  at  Burton 
Group,  says  these  tools  and  services  con¬ 
duct  automated  scans  of  Web  applications 
that  are  either  in  production  or  just  prior  to 
going  live,  applying  threat  models  and  mis¬ 
use  cases  to  unearth  common  vulnerabilities. 
Some  of  the  top  10  flaws  defined  by  the  Open 
Web  Application  Security  Project  (OWASP), 
including  SQL  injection,  cross-site  scripting 
and  improper  error  handling,  were  until 
quite  recently  alien  concepts  to  a  lot  of  peo¬ 
ple,  including  developers.  In  some  cases,  the 
tools  provide  suggested  parameters  for  how 
to  fix  these  types  of  problems. 

Today,  Web  penetration  testing  is 
considered  a  key  component  in  ensuring 
application  security,  which  has  become  an 
essential  part  of  enterprise  risk  manage¬ 
ment,  Kelley  says.  Or  as  Joseph  Fieman, 


analyst  at  Gartner,  puts  it,  “It’s  coming 
down  to  a  race  between  you  and  the  hack¬ 
ers.  Either  you  use  [penetration  testing]  or 
the  hackers  will  do  it  for  you.” 

According  to  Gartner,  enterprises  con¬ 
sidering  these  tools  and  services  should 
expect  substantial  market  and  product  con¬ 
solidation.  Acquisitions  are  likely  among 


the  major  software  development  lifecycle 
(SDLC)  platform  providers  and  security 
vendors,  Fieman  says.  Already  the  quality- 
assurance  divisions  of  two  heavyweights, 
Hewlett-Packard  and  IBM,  have  bought 
into  the  market  (acquiring  SPI  Dynamics 
and  Watchfire,  respectively). 

Here  is  advice  from  CISOs  and  analysts 


to  www.csoonline.com  February  2008 


Illustration  by  Katy  Lemay 


Your  next 
attacker  will  be 
highly  motivated. 

Fortunately, 
so  are  we. 


If  it’s  worth  storing,  it’s  worth  stealing.  We  know 
because  we’re  SecureWorks,  and  nobody  is 
better  positioned  to  defend  your  network.  Our 
client-dedicated  security  analysts  work  round- 
the-clock  supported  by  the  industry-leading 
counter-threat  unit  and  state-of-the-art  threat 
correlation  platform  —  all  to  ensure  your 
company  and  your  reputation  remain  intact. 


Secure  '£rks; 

www.secureworks.com 

©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


15  24  N  44  14  E 


>>  TOOLBOX 


on  how  to  evaluate  and  use  these  tools  and 
services. 

Key  Decisions 

l)  Who's  going  to  use  it?  Assigning  respon¬ 
sibility  for  securing  Web  applications  isn’t 
always  a  straightforward  task.  It’s  a  new 
concept  for  development  groups  and  QA 
teams,  and  security  groups  are  more  accus¬ 
tomed  to  network  issues  than  application 
issues.  So  who  does  the  job?  According  to 
Fieman,  it’s  awkward  for  security  special¬ 
ists  to  scan  the  application  and  forward  the 
results  to  developers.  But  that’s  exactly  what 
many  companies  do,  at  least  until  the  devel¬ 
opers  accept  the  idea  of  using  the  tools. 

Phil  Heneghan,  chief  information  secu¬ 
rity  officer  at  USAID,  for  instance,  has 
shouldered  the  responsibility  for  Web 
application  security,  believing  it’s  ulti¬ 
mately  his  job  to  secure  the  enterprise  and 
that  it’s  better  to  have  someone  other  than 
the  application  creators  assess  its  vulner¬ 


abilities.  “You  could  end  up  with  a  rose- 
colored  picture  if  the  developer  says,  Don’t 
worry;  I  checked  it,  and  it’s  fine,”  he  says. 

Similarly,  Andre  Hiotis,  technology 
security  officer  at  NAV  Canada,  purchased 
HP/SPI  Dynamics’  Weblnspect  more  than 
a  year  ago  and  is  only  now  putting  it  on 
developers’  desktops  to  use  themselves,  at 
their  request.  If  he’d  given  it  to  them  at  the 
get-go,  he  says,  they  would  have  been  over¬ 
whelmed  by  all  the  information  it  produced. 
As  it  is,  his  team  has  had  time  to  learn  the 
tool  and  can  now  provide  assistance  to 
the  developers  when  they  use  it.  Security 
staff  is  also  better  equipped  to  prioritize 
and  edit  the  tool’s  voluminous  reports  and 
will  continue  to  provide  that  service.  “If  the 
developers  saw  100  things  needed  to  be 
fixed,  they  couldn’t  judge  which  were  high, 
medium  or  low  risk,”  Hiotis  says. 

2)  Service  or  tool  (or  both)?  You  can  buy 
the  tool  and  dedicate  resources  to  building 
a  robust  testing  capability,  or  have  a  vendor 


scan  your  Web  applications  remotely,  vali¬ 
date  the  findings  and  produce  a  focused 
report.  Most  leading  vendors  now  offer 
both  options,  except  WhiteHat,  which 
offers  only  a  service-based  solution.  “Many 
companies  wish  to  perform  their  own  test¬ 
ing  in-house,  for  control,  management  and 
privacy  purposes,  but  there’s  a  large  and 
growing  market  for  scanning  services,” 
Kelley  says. 

And  some  organizations  are  choosing  to 
use  both.  The  manager  of  information  secu¬ 
rity  at  a  large  healthcare  organization  (who 
declined  to  be  identified),  for  instance,  tem¬ 
porarily  halted  the  use  of  Weblnspect  when 
he  found  he  didn’t  have  the  staff  resources 
to  manage  the  volumes  of  data  it  produced. 
“You  need  human  intelligence  to  eliminate 
the  false  positives  and  get  a  complete  analy¬ 
sis  of  where  the  vulnerabilities  lie,”  he  says. 
He  turned  to  WhiteHat  for  help  interpret¬ 
ing  the  results  and  working  with  develop¬ 
ers  to  fix  problems. 


Comparing  Vulnerability  Scanners 


CENZIC 

HP(SPI) 

IBM  (WATCHFIRE) 

NTOBJECTIVES 

WHITEHAT 

Product  or  Service 

Either 

Either 

Either 

Either 

Service  only 

Installation 
(Centralized 
or  Desktop/ 
Distributed) 

Either 

Either 

Either 

Either 

N/A  (hosted  service) 

Reporting  Formats 

CSV,  DOC,  HTML,  PDF, 

RTF 

HTML  and  PDF  or  direct 
from  SQL  database 

DOC,  PDF,  PPT,  XML; 
Reporting  console 
supports  CSV,  DOC,  PDF, 
XLS,  XML 

HTML,  XML  or  direct 
from  SQL  database 

HTML,  PDF,  XML 

QA/Testing 

Integration 

Integrates  with  Borland 
and  HP  Quality  Center 

Integrates  with 

HP  QA  Inspect,  HP 

Quality  Center,  IBM 
Rational  ClearQuest, 
Microsoft  Visual  Studio 
TeamSystem 

Integrates  with  IBM 
Rational  ClearQuest, 
HPQualityCenterand 
Microsoft  Visual  Studio 
TeamSystem 

No 

Via  API 

static  Source  Code 
Analysis  Tool 
Integration 

Integrates  with  Fortify 
SCA  and  Ounce  Labs 

Integrates  with  HP  (SPI) 
Devlnspect; 

Partnerships  with 
Veracode  and  Ounce 

Labs 

Integrates  with  Fortify 
SCA 

Static  binary  analysis, 
Veracode 

N/A 

Web  Application 
Firewall  (WAF) 
Integration 

Integrates  with 
Netcontinuum 

Integrates  if  WAF 
supports  AVDL 

No 

No 

N/A 

Manual  Penetration 
Testing  Support 

Tester-configured 

Smart  Attacks 

HP  (SPI)  Security  Toolkit 

AppScan  extensions 
Framework,  Watchfire 
PowerTools  and  ability 
to  manage  third-party 
tools  from  the  AppScan 
console 

Tester-configured 
manual  crawling,  XML 
attacks  and  fuzzing 

Service  includes  manual 
penetration  testing 

Source:  The  Burton  Group 


12  www.csoonline.com  February  2008 


After  a  year  of  becoming  accustomed  to 
the  service,  he’s  now  expanding  the  use  of 
his  original  tool  and  is  planning  to  take  a 
three-tiered  approach.  Developers  will  test 
coding  and  compilations  on  the  fly  with 
Weblnspect,  and  then  security  staff  will  run 
a  second  scan  with  that  tool.  On  the  third 
pass,  they’ll  push  the  application  out  to  the 
Internet  and  have  WhiteHat  run  a  test. 

3)  How  will  you  integrate ?  These  tools 
operate  best  when  they  are  integrated— either 
natively  or  through  an  application  program¬ 
ming  interface  (API)— with  other  systems 
used  by  developers  and  the  QA  team.  These 
include  QA  and  testing  tools,  as  well  as  con¬ 
tent  management,  project  management  and 
scheduling  tools,  so  the  scan  results  can  be 
tracked  and  fixed  like  any  other  code  defect. 
They  should  also  tightly  integrate  with 
SDLC  platforms  such  as  Microsoft  Visual 
Studio,  so  that,  ideally,  developers  could 
run  a  scan  from  their  desktop,  using  an 
interface  similar  to  their  development  tool’s. 

It’s  also  optimal  for  the  tool  or  service 
to  export  results  directly  to  a  static  source 
code  scanning  tool.  That’s  because  while 
Web  application  testing  tools  can  tell  you 
what  kind  of  vulnerability  you  have,  they 
don’t  pinpoint  the  exact  location  in  the  code 
where  the  problem  lies.  “Detecting  vulner¬ 
ability  is  so  percent  of  the  job,”  Fieman  says. 
“You  have  to  close  the  loop.” 

Evaluation  Criteria 

According  to  Gartner,  there  are  almost  no 
dramatic  differences  between  vendors’ 
scanning  technology  principles;  differen¬ 
tiation  lies  among  vendors’  ability  to  do  the 
following: 

■  Tightly  integrate  with  software 
development  and  production 
processes  and  platforms. 

■  Manage  and  report  across  multiple 
deployed  scanners. 

■  Scale  to  different  size  environments. 

■  Provide  features  and  services  beyond 
scanning,  such  as  source  code  scan¬ 
ning;  Sox,  HIPAA  and  other  compli¬ 
ance  analyses;  automatic  vulnerability 
fixing;  hosting  services;  training; 
assistance  in  process  design;  and  con¬ 
sulting  in  the  adoption  of  security  into 
the  SDLC  process. 

Gartner  adds  the  following  technologi¬ 
cal  criteria  to  consider: 

■  Vulnerability  detection  and  corrective 


“Either  you  use 
penetration  testing 

or  the  hackers 
will  do  it  for  you.” 

-GARTNER  ANALYST 
JOSEPH  FIEMAN 

analysis.  Vulnerabilities  should  be 
reported,  and  suggestions  for  correc¬ 
tion  should  be  made  in  a  language 
that  developers  can  understand.  The 
scanner  should  identify  the  relevant 
webpage  and  URL  where  the  vulner¬ 
ability  was  detected.  False  positives 
must  be  low. 

■  Continuous  and  prompt  update  of  the 
vulnerability  database.  Because  new 
attacks  appear  over  time,  vendors 
must  keep  a  database  of  all  known 
vulnerabilities  and  promptly  update 
it  with  new  vulnerabilities  as  part  of 
the  standard  maintenance  contract. 

A  metadata  repository  would  help  in 
analyzing  vulnerabilities  and  remedies. 

■  Reporting  and  analysis.  The  tool 
should  aid  in  classifying  detected 
vulnerabilities  and  rating  them 
according  to  their  severity.  In  addition, 
detailed  explanations  of  vulnerabilities, 
suggested  solutions,  and  linkage  to 
existing  patches  and  patterns  should 
be  available.  Reports  should  cater  to 
application  developers  and  security 
professionals  of  different  levels. 

■  Ease  of  use  by  nonsecurity  experts. 

■  Protocol  support.  Most  scanners 
use  only  HTML  and  HTTP  to  probe 
Web-enabled  applications.  However,  it 
broadens  usability  when  other  proto¬ 
cols  are  supported,  such  as  SOAP,  SNA, 
LU  6.2,  RPC  and  RMI. 

■  The  tool  should  support  common 
Web  server  platforms,  such  as  IIS  and 
Apache,  as  well  as  hosted  functionality 
in  the  form  of  ASP,  JSP  and  ASP.NET. 

Dos  and  Don’ts 

DO  make  sure  your  company  is  ready  to 
make  a  real  investment  not  just  in  the  tool, 
but  also  in  training,  staffing  and  developing 
robust  processes  around  finding  and  fixing 
vulnerabilities.  “The  main  weakness  I  see  is 
companies  that  feel  they  can  take  the  prod¬ 
uct,  point  it  at  their  applications  and  get  the 


same  wealth  of  information  they  could  get 
if  they  did  manual  or  highly  assisted  test¬ 
ing,”  Kelley  says.  “You  have  to  educate  your 
testers  on  how  to  test,  and  they  need  time  to 
work  with  and  configure  and  use  some  of 
the  add-ons  provided  to  assist  the  process.” 

DON’T  expect  developers  to  love  the 
tool  right  away.  Many  developers  have  been 
blissfully  ignorant  of  Web  application  secu¬ 
rity  elements  and  are  either  embarrassed, 
insulted  or  just  not  interested  in  what  these 
tools  reveal.  “One  of  the  biggest  pain  points 
was  getting  people  to  accept  the  serious¬ 
ness  involved  with  this,”  says  the  security 
manager  at  the  healthcare  organization.  It 
took  his  organization  a  year  and  a  half  to  get 
developers  to  adopt  the  tools. 

DO  realize  the  limitations  of  these  tools. 
Some  people  want  to  believe  that  if  the 
tools  don’t  find  a  problem,  they’re  home 
free,  says  Gary  McGraw,  CTO  at  security 
consultancy  Cigital.  “But  the  only  thing  it 
can  tell  you  is  you  don’t  have  these  [specific] 
problems,”  he  says.  “If  they  had  a  list  of  all 
possible  security  problems  ever  in  the  his¬ 
tory  and  future  of  the  planet,  that  would  be 
a  great  thing,  but  that’s  impossible.”  That’s 
why  McGraw  famously  called  these  tools 
“badness-ometers”— they  can  tell  you  when 
your  code  is  bad,  but  they  can’t  tell  you  that 
your  code  is  lock-tight  secure.  Not  that  the 
tools  don’t  have  value,  McGraw  says;  they 
do  shorten  the  testing  cycle  considerably, 
but  humans  are  often  needed  to  validate 
that  a  problem  exists. 

DON’T  think  one  tool  will  find  every 
problem.  At  the  healthcare  organization, 
“We’ve  found  vulnerabilities  with  SPI  that 
WhiteHat  didn’t  and  vice  versa,”  the  man¬ 
ager  says. 

DO  realize  that  security  is  not  a  one¬ 
time  event.  Because  Web  applications  are 
ever-changing,  they  must  be  tested  con¬ 
tinuously  to  ensure  no  new  vulnerabilities 
have  been  introduced,  Burton  Group’s 
Kelley  says.  Even  OWASP  continuously 
changes  its  top  10  guidelines.  Heneghan 
scans  his  organization’s  Web  applications 
once  a  month.  The  healthcare  organization 
security  manager  warns  it  can  take  one 
or  two  days  to  crawl  through  all  his  firm’s 
applications  and  produce  an  analysis.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  of  Boston.  Send feedback  to  Editor  in  Chief 
Derek  Slater  at  dslater@cxo.com. 


February  2008  www.csoonline.com  13 


ADVERTISEMENT 


COMPLIANCE:  MOVING  FROM 
MANDATE  TO  DIFFERENTIATOR 


Compliance  is  no  longer  the  dreaded  four-letter  word 
of  yesteryear,  tackled  only  under  sheer  duress.  Today, 
forward-thinking  companies  are  taking  a  more  vol¬ 
untary  approach  to  governance,  risk  and  compliance 
(GRC),  says  Ross  Chevalier,  CTO  Canada  for  Waltham, 
Mass.-based  Novell.  “It’s  a  differentiator,  an  opportu¬ 
nity  to  prove  trust  and  competence,”  he  says. 

In  fact,  a  recent  survey  by  IDG  Research  Services 
reveals  that  smart  business  and  IT  leaders  are 
implementing  identity,  access  and  security  manage¬ 
ment  solutions  to  make  that  advantage  a  reality. 
After  all,  good  security  helps  companies  establish 
the  very  controls  and  business  structure  needed  to 
enable  compliance.  That’s  putting  some  CSOs,  CIOs 
and  CISOs  in  the  enviable  position  of  contributing 
not  just  to  the  bottom  line,  but  to  the  top  line,  too. 

Security  Tops  the  List 

It’s  no  surprise  that  more  than  three-quarters  of 
respondents  assign  a  critical  or  high  priority  to  their 
company’s  ability  to  identify  and  manage  risk.  They 
are  already  addressing  these  issues  with  security 
management  (71  percent),  access  management  (66 
percent)  and  identity  management  (62  percent) 
solutions.  GRC  happens  to  be  the  main  driver 
behind  such  technologies,  with  respondents  most 
frequently  pointing  to  the  ability  to  “prove”  compli¬ 
ance  as  the  primary  benefit  of  implementation. 

“One  of  the  greatest  challenges  under  GRC  is  not 
that  you  say  it’s  so,  but  that  you  can  show  it  is  so,” 
Chevalier  says.  Identity,  access  and  security  manage¬ 
ment  are  complementary  technologies  that  provide 
proof  points  in  the  context  of  authoritative  data  so 
executives  can  do  exactly  that. 

Achieving  Success 

Despite  their  emphasis  on  identifying 
and  managing  risk,  most  respondents 
rate  their  company’s  success  in  doing 
so  as  relatively  low.  Ivan  Hurtt,  senior 
product  marketing  manager  at  Novell, 
contends  it  is  the  lack  of  visibility  and 
information  aggregation  that  prevents  companies 
from  successfully  identifying  compliance  violations. 

Identity,  access  and  security  management  solutions 


More  than  three-quarters 
of  respondents  assign  a 
critical  or  high  priority  to 
their  company’s  ability  to 
identify  and  manage  risk. 


help  eliminate  that  barrier,  forcing  the  break¬ 
down  of  silos  and  fostering  better  management  of 
identities,  separation  of  duty  and  consistency  in 
policy  enforcement.  More  important,  automation 
tools  allow  CSOs  to  respond  to  audit  requests  with 
on-demand  precision,  rather  than  scrambling  to 
manually  construct  each  compliance  entity.  It’s  the 
audit  dance,  Chevalier  says,  not  the  fines  and  judg¬ 
ments,  “that 
can  put  you  out 
of  business.” 

And  in  the  end, 
it’s  far  easier 
for  auditors  to 
put  their  faith 
in  automated 

processes  than  in  error-prone  manual  ones. 


Respondents  point  to  the 
ability  to  “prove”  com¬ 
pliance  as  the  primary 
benefit  of  implementation. 


“Of  course,  there  are  critical  controls  and  business 
structure  that  come  with  compliance,”  says 
Chevalier.  So  the  value — from  more  accurate 
access  privileges  and  better  password  security,  to 
streamlined  management  and  reduced  password 
reset  costs — is  there  for  the  taking.  The  greatest  re¬ 
turn,  however,  comes  from  not  only  protecting  but 
also  enhancing  the  corporate  brand  and  reputation. 
That  makes  compliance  a  business  opportunity,  not 
just  a  mandate  from  the  powers  that  be. 


Bottom  line:  Implementing  the  right  identity,  access 
and  security  management  technologies  provides  an 
opportunity  few  CSOs,  CIOs  and  CISOs  can  afford  to 
pass  up. 


“With  the  right  security  in  place,  compliance  will 
follow  naturally,”  says  Ivan  Hurtt,  senior  product 
marketing  manager  at  Novell.  Find  out  how  to 
make  it  happen  by  visiting  www.csoonline. 
com/whitepaper/compliance  to  obtain  a  free 
download  of  the  survey  results  and  insightful 
commentary  from  key  respondents. 


Novell 


cso 

Custom  Solutions  Group 


Copyright  *  2008  Novell,  Inc.  All  Rights  Reserved.  Novell,  the  Novell  logo  and  the 
N  logo  are  registered  trademarks  of  Novell,  Inc.  In  the  United  States  and  other 
countries.  "All  third-party  trademarks  are  the  property  of  their  respective  owners. 


“We're  lucky  that  they  didn’t  shoot  him."  -PAGE 1 6 


Edited  by  Sarah  D.  Scalet 


THREATS 

THE  NEXT  BIG  BROWSER  EXPLOIT 

With  cross-site  request  forgery,  websites  execute  commands  that  visitors  don't  want 


After  cross-site  scripting  (XSS),  the 

second  most  common  Web  application 
security  exploit  is  probably  one  you 
haven’t  heard  of:  cross-site  request 
forgery  (CSRF).  This  little-known  but  troubling 
attack  essentially  hijacks  a  user’s  browser  to 
perform  actions  she  didn’t  intend-anything 
from  ordering  merchandise  to  sending  threat¬ 
ening  letters  to  the  White  House. 

By  their  nature,  CSRF  attacks  are  hard  to 
prove.  Unless  you  have  a  case  like  the  Sarny 
worm  that  produces  a  major  disruption,  it’s 
hard  even  to  know  such  an  exploit  is  out  there. 
(The  2005  Sarny  worm  was  discovered  only 
because  it  used  CSRF  to  temporarily  make  the 

Extreme  Web 
Browsing 

An  anti-CSRF  precaution 

FOR  THE  MOST  PART,  the  defense  against 
CSRF  must  come  from  websites  themselves, 
not  Web  users.  But  Jeremiah  Grossman,  CTO  at 
WhiteHat  Security,  has  a  workaround  he  uses 
to  protect  himself  online.  It  involves  having 
two  browsers.  One,  which  he  calls  the  “promis¬ 
cuous"  browser,  is  the  one  he  uses  for  ordinary 
browsing;  a  second  browser  is  used  only  for 
security-critical  tasks  such  as  online  banking. 

When  Grossman  wants  to  do  online  bank¬ 
ing,  he  closes  his  promiscuous  browser  (typi¬ 
cally  Mozilla  Firefox),  opens  the  more  prudish 
one  (usually  a  really  old  and  obscure  version 
of  Netscape  or  Safari),  and  does  only  what  he 
has  to  do  before  closing  it  and  going  back  to  his 
insecure  browser. 

The  approach  works  because  then,  even 
if  Grossman  encounters  the  CSRF  attack  while 
online,  the  website  where  he  does  sensitive 
activities  won’t  execute  any  orders  it  receives 
from  his  browser. 

-R.C. 


writer  the  most  popular  person  on  MySpace.) 
Unlike  an  XSS  attack,  which  tricks  the  site  into 
uploading  malicious  code,  CSRF  simply  has  the 
site  execute  legitimate  commands-just  not 
commands  issued  by  the  user.  Jeremiah  Gross- 
man,  CTO  at  WhiteHat  Security,  estimates  that 
it’s  the  second  most  common  Web-applica¬ 
tion  attack,  after  XSS,  and  believes  that  it 
is  about  where  XSS  was  a  couple  of  years 
ago:  Few  security  professionals 
are  aware  of  it,  but  it  is  being 
increasingly  exploited  by  com¬ 
puter  criminals. 

The  Attack 

Here’s  how  it  works.  The  attacker  inserts  a 
snippet  of  code-often  disguised  as  an  img, 
script  or  iframe  in  HTML,  or  an  image  object  in 
JavaScript-that  contains  a  payload  of  the  form 
“http://host/?command”.  This  code  instructs 
the  victim’s  browser  to  send  a  request  to  the 
target  website.  If  the  victim  is  authenticated 
on  the  site  or  the  site  does  not  require  authen¬ 
tication,  the  targeted  website  executes  the 
command  without  further  prompting. 

While  the  dangers  of  such  attacks  on  sites 
that  require  authentication  are  obvious,  even 
CSRFs  against  sites  that  don’t  require  authenti¬ 
cation  can  be  damaging.  Grossman  points  out 
that  Whitehouse.gov  doesn’t  require  authen¬ 
tication,  but  sending  a  bunch  of  threatening 
e-mails  to  the  White  House  is  probably  going 
to  get  you  a  visit  from  the  FBI. 

Of  course,  the  vast  majority  of  people  who 
encounter  the  attack  on  a  site  that  does  have 
authentication  won’t  be  logged  in  to  the  site. 
But  then,  almost  no  one  buys  male  enhance¬ 
ment  pills  from  spam  ads,  either-itjust  takes 
one  or  two  victims  to  make  the  effort  worth¬ 
while.  “The  bad  guys  are  just  looking  in  the  off 


chance  someone  is  logged  in  to  that  particular 
website,”  Grossman  says. 

The  Defense 

If  the  technique  is  simple,  good  defenses 
aren’t.  There’s  little  the  user  can  do  to  protect 
himself.  The  defense  has  to  come  from  the 
threatened  website. 

The  most  basic  defense  is  authenti¬ 
cating  each  session  individually 
and  possibly  authenticating 
again  before  the  user  can  per¬ 
form  risky  actions.  Amazon 
.com  has  reportedly  adopted 
this  method  and  now  requires 
reauthentication  before  a  customer  per¬ 
forms  actions  such  as  changing  the  shipping 
address. 

A  more  sophisticated  defense  involves 
making  sure  the  bad  guys  won’t  have  the  exact 
command  to  execute  an  action  on  the  target 
website.  “Essentially,  what  the  developer  is 
trying  to  do  is  make  sure  the  request  is  unpre¬ 
dictable,”  Grossman  says.  “The  same  request 
I  use  to  do  a  wire  transfer  will  not  be  identical 
to  one  you  make.”  Typically  this  would  involve 
generating  cryptographic  tokens  for  each  user. 

It’s  not  an  easy  option.  “The  solution  has 
to  be  on  every  website,  and  the  logic  has  to  be 
buried  in  the  middle  of  a  function  flow,”  Gross- 
man  says,  noting  that  he  isn’t  aware  of  any 
third-party  software  application  that  develop¬ 
ers  can  use  to  add  that  feature. 

Oh,  and  there’s  one  other  problem.  “With 
every  solution  we’re  aware  of,  if  a  website  is 
vulnerable  to  a  XSS  attack  they  [the  CSRF  pro¬ 
tections]  don’t  work,”  Grossman  says.  In  other 
words,  developers  need  to  protect  against  XSS 
before  they  can  protect  against  CSRF. 

-Rick  Cook 


February  2008  www.csoonline.com  xs 


>>  BRIEFING 


AWARENESS 

7  Rules 
Employees 
Love  to 
Break 

New  study  shows  that  many  users 
are  taking  risks  with  sensitive 
information,  either  because  good 
policies  don’t  exist  or  aren’t  enforced 

New  research  from  the  Ponemon  Institute 
finds  that  either  companies  are  not  setting, 
or  employees  are  not  following,  data  security 
procedures  in  several  high-risk  areas.  "Data 
Security  Policies:  Compliance  and  Enforcement,”  a 
survey  of  893  corporate  IT  workers,  examined  the 
risks  associated  with  storing  and  transporting  sensi¬ 
tive  information  and  looked  at  how  well  companies 
are  implementing  and  enforcing  policies  to  protect 
against  this  risk.  Below  are  seven  areas  where 
employees  are  breaking  the  most  rules  or  are  being 
the  most  careless. 

1.  Copying  confidential  information  onto  a  USB 
memory  stick:  Eighty-seven  percent  of  respondents 
believe  their  company’s  policy  forbids  it,  yet  51  per¬ 
cent  say  they  do  it  anyway. 

2.  Accessing  Web-based  e-mail  accounts  from 
a  workplace  computer:  Forty-five  percent  of  those 
surveyed  use  Web  mail  at  work;  74  percent  say  there  is 
no  stated  policy  that  forbids  it. 

3.  Losing  a  portable  data-bearing  device:  Thirty- 
nine  percent  of  respondents  say  they  have  lost  or 
misplaced  such  a  device,  and  72  percent  of  them  did 
not  report  the  lost  device  immediately. 

4.  Downloading  personal  software  onto  a 
company  computer:  Sixty  percent  of  respondents 
say  there  is  no  stated  policy  that  forbids  download¬ 
ing  personal  software,  a  practice  that  45  percent  of 
respondents  admit  to. 

5.  Sending  workplace  documents  as  an  attach¬ 
ment  in  e-mail:  Thirty-three  percent  of  respondents 
send  work  documents  as  attachments,  and  48  percent 
aren’t  even  sure  whether  that  violates  policy. 

6.  Disabling  security  and  firewall  settings: 

Eighty  percent  of  those  surveyed  don’t  know  whether 
disabling  security  is  against  policy;  17  percent  of 
respondents  do  it. 

7.  Sharing  passwords  with  coworkers:  Sixty-seven 
percent  say  the  company’s  policy  forbids  sharing 
passwords,  but  46  percent  of  them  do  it  anyway. 

-Katherine  Walsh 


EMERGENCY  RESPONSE 

Phone  Pranks  Gone  Evil 

“Swatters"  have  turned  911  into  a  weapon 

IT’S  LATE.  The  kids  are  asleep,  and  suddenly  there’s  a  rustling  outside. 

You  grab  something  to  defend  yourself,  maybe  a  baseball  bat,  and  quietly 
inch  open  the  door  to  see  who’s  there.  Immediately,  you’re  surrounded  by 
automatic  weapons.  Men  are  yelling  at  you  to  get  down  on  the  ground  with 
your  hands  behind  your  head. 

No,  this  isn’t  a  home  invasion.  You’ve  been  swatted. 

It  happened  on  March  29, 2007,  to  an  Orange  County,  Calif.,  resident, 
identified  in  court  documents  only  as  Doug  B.  According  to  authorities,  a 
19-year-old  Washington  man  named  Randall  Ellis  called  Orange  County’s 
911  dispatch,  spoofing  Doug  B’s  telephone  number  and,  over  the  course  of 
a  38-minute  telephone  call,  convinced  authorities  that  he  had  murdered 
someone  on  the  premises  and  was  about  to  do  it  again. 

Within  minutes,  fire,  police  and  a  helicopter  team  had  been  dispatched 
to  the  home  of  the  Lake  Forest,  Calif.,  couple. 

“They  surrounded  the  home.  Inside  were  a  husband  and  wife  and  their 
two  toddlers,”  says  Farrah  Emami,  a  spokeswoman  with  the  Orange  County 
district  attorney’s  office.  “We’re  lucky  that  they  didn’t  shoot  him.” 

Ellis  is  one  of  a  handful  of  people  who  have  been  arrested  over  the  past 
year  in  connection  with  an  estimated  260  swatting  incidents  that  have  cost 
local  authorities  hundreds  of  thousands  of  dollars  in  wasted  response 
efforts.  The  bill  for  the  Lake  Forest  incident  alone  ran  in  excess  of  $18,000. 

And  while  swatting  can  be  done  quite  easily  (in  one  case,  a  caller  simply 
blocked  his  Caller  ID  and  gave  emergency  dispatch  a  fake  phone  num¬ 
ber),  the  swatters  have  also  used  some  sophisticated  social  engineering 
techniques. 

One  convicted  swatter,  Guadalupe  Martinez,  would  call  an  internal 
AT&T  number  claiming  to  be  a  service  representative  working  in  the  field 
in  order  to  scope  out  information  on  victims  and  sometimes  even  terminate 
their  phone  service,  according  to  Detective  Larry  Cole  with  the  Snohomish 
County  sheriff’s  office  in  Washington  state. 

Cole  says  that  Martinez  and  his  fellow  swatters  target  people  for  two 
reasons:  for  kicks  and  to  get  even.  “They  had  very  limited  social  skills  so 
they  were  kind  of  immature,”  he  says. 

Martinez,  who  went  by  the  nickname  “Wicked  Wizard,”  would  often 
swat  victims  as  a  way  of  settling  the  score  for  some  chat-room  slight.  Cole 
says.  “I  think  it  was  a  power  trip  for  him.  It  was  his  way  of  being  the  big 
man.” 

-Robert  McMillan 


16  www.csoonline.com  February  2008 


Photo  by  P.  Moriarty 


INESS 


Gartner  Endpoint  Protection  Magic  Quadrant,  12/27/2007 

In  2007,  Gartner  called  us  “visionary!  In  2008,  we  will  surely 
dominate,  because  we  offer  the  IT  industry's  only  converged  IT 
security  and  operations  p  la  form  that  enables  real-time  visibility 
and  control  of  globally  distributed  desktop,  mobile  and  server 
computer  infrastructures.  Consider  this  fair  warning  to  LANDesk, 

McAfee,  Microsoft  and  Symantec.  We  fix  the  problems  you  cause. 

For  IT  professionals  whove  had  that  burning  hope  that  there  is 
something  better  out  there,  visit  www.bigfix.com/wemeanbusiness  or 
call  510-652-6700  xl  1 6.  Our  free  on-site  proof  of  concept  will 
prove  to  you  and  to  our  competition  that  ...we  really  mean  business. 


Technology  Innovation 

BIGFIX 

LANDesk 

McAfee 

Microsoft 

Symantec 

Single  Intelligent  Endpoint  Agent 

4/ 

X 

X 

X 

X 

Single  Console 

1/ 

X 

X 

X 

X 

Manage  3rd  Party  Applications 

1/ 

X 

X 

X 

X 

1  Server  Manages  200K  Endpoints 

Absolutely 

No  way 

Not  close 

Someday** 

Never 

Endpoint  Verification  Speed 

Minutes 

Weeks 

Weeks 

Days 

Never 

All  Popular  Endpoint  OSs  Supported 

Of  course 

X 

X 

Never! 

X 

Global  Asset  Discovery 

✓ 

X 

X 

X 

X 

Off-network  Device  Same  as  Connected 

✓ 

X 

X 

X 

X 

Innovated  or  Acquired  Critical  Components 

Innovated 

Acquired 

Acquired 

Acquired 

Acquired 

0 


•1  B  I  G  F  I  X 


We  mean  business 

©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  sincerely  and  respectfully  acknowledged.  "Only  if  Microsoft  licenses  our  patents. 


TRBA 


>>  BRIEFING 


< 


EXECUTIVE  PROTECTION 


SECURITY  PERKS  FOR  CEOS 

Four  technology  company  CEOs,  four  vastly  different  protection  packages 


Not  sure  how  much  money 
your  company  should 
spend  protecting  its  chief 
executive?  The  answer  is-it 
depends.  According  to  an  analysis 
of  proxy  statements  filed  with  the 
Securities  and  Exchange  Commis¬ 
sion,  even  in  a  given  industry,  there 
are  no  clear  benchmarks  on  the 
cost  of  executive  protection. 

Part  of  the  reason  is  different 
interpretations  of  how  costs  should 
be  accounted  for  and  disclosed. 
More  important,  different  threats 
(and  personalities)  require  dif¬ 
ferent  strategies.  “There  is  no 
one  piece  of  security  that  should, 
without  question,  be  implemented 
in  every  executive  protection  strat¬ 
egy,”  says  Tim  Horner,  managing 
director  at  Kroll. 

Below  are  how  some  of  the 
country’s  largest  technology  com¬ 
panies  report  the  cost  of  executive 
protection  for  their  CEOs. 

IBM  Samuel  J. 
Palmisano 

At  the  country’s  largest  technol¬ 
ogy  company,  “security  practices 


provide  that  all  air  travel  by  the 
Chairman  and  CEO,  including 
personal  travel,  be  on  Company 
aircraft.”  The  CEO  is  driven  to  and 
from  work  by  IBM  personnel  in  a 
car  leased  by  IBM,  which  may  also 
be  used  for  nonbusiness  occasions. 
In  all,  the  company  spent  $373,187 
on  Palmisano’s  personal  use  of 
company  aircraft  and  $53,409  on 
personal  security.  This  includes 
home  security  and  monitoring  sys¬ 
tems,  as  well  as  security  personnel 
for  Palmisano  and  his  family  and 
the  cost  of  hotels,  meals,  car  ser¬ 
vices,  airfare  and  salary  for  those 
security  personnel.  It’s  a  decent 
chunk  of  Palmisano’s  total  “other 
compensation"  of  $922,530. 

Xerox  Anne  Mulcahy 

Mulcahy  is  required  whenever 
feasible  to  use  the  company 
aircraft  for  travel  for  “security 
and  personal  safety.”  Using  this 
criterion,  most  of  Mulcahy’s  “other 
compensation”  can  be  classified  as 
a  security  expense.  Of  the  $296,026 
listed  under  “all  other  compensa¬ 
tion”  for  Mulcahy  in  the  2007  proxy 


statement,  $193,300  was  spent 
on  personal  use  of  the  corporate 
aircraft,  and  another  $18,679  went 
toward  home  security  and  other 
miscellaneous  benefits. 

Oracle  Lawrence  Ellison 

Oracle  reportedly  spent  a  whop¬ 
ping  $1,708,763  on  security  for  Elli¬ 
son.  The  proxy  states  that  Ellison  is 
required  to  have  a  home  security 
system  but  is  mum  on  most  details. 

Deli  Michael  Dell 

The  company  reports  spending 
$1,051,000  on  personal  and  resi¬ 
dential  security  for  chairman  and 
CEO  Michael  Dell  in  FY07.  According 
to  the  proxy  statement:  “The  Board 
believes  that  Mr.  Dell’s  personal 
safety  and  security  are  of  vital 
importance  to  the  company’s  busi¬ 
ness  and  prospects,  and  therefore 
that  all  these  costs  are  appropri¬ 
ate  corporate  business  expenses.” 
Security  services  are  also  provided 
for  members  of  Dell’s  immediate 
family  and  for  locations  other  than 
his  primary  residence. 

-Katherine  Walsh 


*2 


CAREER 

Movers  & 
Shakers 

Execs  at  Verizon,  Time  Warner 
recognized  for  their  leadership 

round  of  applause  for  this  year’s 
Women  of  Influence  award  winners, 
who  were  recognized  at  the  Execu¬ 
tive  Women’s  Forum.  The  awards 
are  cosponsored  by  CSO  magazine  and  Alta 
Associates.  And  the  winners  are... 

Cheryl  Peace  (Public  Sector),  Defense 
Joint  Intelligence  Operations  Center  Office, 
Defense  Intelligence  Senior  Executive  Ser¬ 
vice.  Peace  shapes  and  integrates  processes, 


policy  and  intelligence  within  the  Depart¬ 
ment  of  Defense  and  in  coordination  with  the 
Office  of  the  Director  of  National  Intelligence. 

Maggie  Mansourkia  (One  to  Watch), 
assistant  general  counsel  and  chief  privacy 
counsel  for  Verizon  Communications.  Man¬ 
sourkia  was  recognized  for  helping  develop 
new  privacy  standards  and  for  making  pri¬ 
vacy  reviews  part  of  all  internal  audits  and 
mandatory  for  new  products  and  services. 

iayshree  Ullal  (Private  Solutions  Pro¬ 
vider),  SVP  and  general  manager  of  the  secu¬ 
rity  and  technology  group  at  Cisco.  Judges 
noted  that  she  excels  at  “building  strong, 
talented  and  competitive  teams  focused  on 
achieving  goals.” 

Renee  Guttmann-Stark  (Corporate 
Practitioner),  information  security  officer  for 
Time  and  Time  Warner  Corporate.  Guttmann- 


Stark  is  responsible  for  the  security  of 
600,000  employee  records,  150  million 
customer  records  and  150  websites. 

Meanwhile,  several  prominent  CSOs 
have  been  on  the  move  in  recent  months, 
including: 

John  Theriault,  former  vice  president 
of  global  security  for  Pfizer,  was  named 
vice  president  of  global  security  for  Apple 
Computer. 

Google  hired  Jane  Horvath,  the  Justice 
Department's  former  chief  privacy  officer,  as 
senior  privacy  counsel. 

Michael  Lines,  former  Transllnion 
CSO,  is  now  global  chief  information  security 
officer  at  PricewaterhouseCoopers. 

To  stay  on  top  of  job  announcements, 
visit  the  Movers  &  Shakers  blog  at  http://blogs 
.csoonline.com/blog/movers_and_shakers. 


18  www.csoonline.com  February  2008 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


RlTy 


nZe”01'"  ■ 


'S£c<JRity 


AHDp 


Subscribe  today! 


uble  fa/e'*" 

’hr""  v, 

,  ' 7  '*•»  II,..  !'"no. ... 


'ATH0i 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


Limm  sf 

mm-  mm; 

I,l‘  *cw.  ^n*  PTf/fr  v  "  #7/ “  Ateh...  ,  ‘ '<*r 

aftcaj,.  VtoAor,v/  ",yW/0  fl 

****",*'<-*"»3S 


®J0|; 


$ng°m 

the0nm<trave/i 

'ra*elJ? ,irr)e ’^an  S°°f 

x  “rnj 
**'**»■ mL"*1**  *’ 

tndrtto,  ^as^ol!  /' 

««&*< 


Wit,  ~ 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  2007  CX0  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


How  to  Respond 
to  a  Data  Breach 
Disclosure 

Just  find  out  that  your  personal  information 
has  been  compromised?  Here's  what  to  do. 

You’ve  just  received  a  breach  disclosure  letter  from  a  company, 
government  agency  or  financial  institution.  What  now?  Should 
you  call  the  police,  or  just  file  away  the  letter  and  hope  for 
the  best?  We’ll  guide  you  through  the  process,  based 
on  advice  from  Larry  Ponemon,  founder  of  the  Ponemon 
Institute,  and  Paul  Stephens,  director  of  policy  and 
advocacy  for  the  Privacy  Rights  Clearinghouse. 

The  first  step?  Take  a  deep  breath,  Stephens  says. 

These  letters  can  be  startling,  but  don’t  panic-simply 
take  the  following  steps  to  protect  yourself. 

1.  EVALUATE  YOUR  RISK.  First,  find  out 
everything  you  can  about  what  happened.  Read  the  disclo¬ 
sure  letter  carefully,  and  do  an  Internet  search  for  more  information. 
Go  to  the  company’s  website  to  see  if  they’ve  issued  a  press  release. 
Call  the  company’s  toll-free  number  if  you  have  any  questions.  You 
want  to  find  out  two  things:  First,  what  information  was  compro¬ 


mised.  The  more  information  that  was  disclosed,  the  higher  your  risk. 
Second,  try  to  determine  whether  the  information  was  lost  because 
of  negligence  or  theft.  In  cases  of  theft,  the  chance  is  higher  that  the 
information  will  be  misused. 

2.  MONITOR  YOUR  ACCOUNTS.  The  most  typi¬ 
cal  result  of  the  theft  of  personal  information  is  credit  card  fraud, 
Ponemon  says.  A  thief  will  use  your  account  for  one  or  two  transac- 
tions-quite  possibly  a  large  one-and  then  move  on  to  the  next 
victim.  Fraud  is  most  likely  to  occur  right  after  the  data  is  stolen, 
so  monitor  your  account  vigilantly  for  three  to  six  months.  You  may 
want  to  have  account  numbers  changed.  However,  if  your  data  was 
lost-a  tape  fell  off  a  truck,  or  a  laptop  went  missing-this  might  not 
be  necessary. 

3.  TAKE  EXTRA  STEPS  IF  YOUR  SOCIAL  SECU¬ 
RITY  NUMBER  HAS  BEEN  DISCLOSED.  If  your  Social 
Security  number  has  been  compromised,  you’ll  need  to  notify  the 
credit  bureaus,  put  a  fraud  alert  on  your  records  and  monitor  credit 
reports  to  make  sure  new  accounts  aren’t  being  opened  in  your  name. 
Technically,  you  need  to  notify  only  one  credit  bureau,  which  will  then 
share  the  information  with  the  other  two.  However,  you  can  contact 
Equifax  (Equifax.com),  Experian  (Experian.com)  and  TransUnion 
(Transunion.com)  individually  if  you  want  to  be  sure  that  they  all  get 
the  information.  If  you  feel  you’re  at  a  particularly  high  risk,  you  can 
also  do  a  security  freeze,  which  is  stronger  than  a  fraud  alert.  It  puts 
a  lock  on  your  credit  report,  making  it  virtually  impossible  for  anyone 
(including  you!)  to  obtain  new  credit  in  your  name. 

4.  CONSIDER  A  CREDIT  MONITORING  SER¬ 
VICE.  Ponemon  and  Stephens  both  stress  that  credit  monitoring 
services  do  many  things  that  you  could  do  yourself  for  free.  For 
instance,  thanks  to  the  Fair  and  Accurate  Credit  Transactions  Act 
(FACTA),  you  can  get  a  free  copy  of  your  credit  report  every  year 
from  each  of  the  three  bureaus-that’s  one  free  credit  report  every 
four  months.  However,  if  you  don’t  have  the  time  to  monitor  your 
own  credit,  it  might  be  worthwhile  to  pay  for  a  credit  monitoring 
service.  Find  out  if  the  company  that  sent  you  the  breach  notification 
is  willing  to  pay  for  this  service.  Ponemon  is  suspicious  of  free  credit 
monitoring  services,  which  may  put  spyware  and  adware  on  to  your 
computer. 

5.  DECIDE  WHEN  TO  CALL  THE  COPS.  If  you’re  the 

victim  of  identity  theft  and  not  just  credit  card  fraud,  you 
do  want  to  call  the  police  and  file  a  police  report,  Stephens 
says.  Keep  a  copy  of  the  report  for  your  records.  Typically, 
though,  you  don’t  need  a  lawyer.  Ponemon  suggests 
working  with  the  company  responsible  for  the  breach 
before  you  do  anything  else.  “Call  them  if  there  is  suspi¬ 
cious  activity  on  your  statement,”  he  says  “They  need  to 
know,  and  they  probably  have  a  system  in  place  to  help. 

They  are  motivated  to  keep  you  [as  a  customer],  so  it’s  often 
to  your  advantage  to  contact  them,”  he  says.  If  you  need  more 
assistance,  you  can  also  contact  your  state  attorney  general  or  the 
Federal  Trade  Commission. 

-Kathleen  S.  Carr 


20  www.csoonline.com  February  2008 


Photo  top  left  by  Corbis 


COMPLIANCE 


The  ERP  Security  Challenge 

SAP’s  Sachar  Paulus  talks  about  how  the  ERP  software  giant 
protects  the  software  that  may  very  well  be  your  business’s  backbone 


If  your  company  runs  SAP,  some  part  of 
your  organization’s  security-probably  a 
huge  part  of  it-depends  on  Sachar  Paulus. 
Until  May,  Paulus  was  CSO,  responsible 
for  IT,  physical  and  organizational  security 
at  the  $12  billion  German  company  known 
for  its  enterprise  resource  planning  software. 
Now,  he’s  SVP  of  product  security,  responsible 
for  security  strategy  for  all  products.  New 
threats,  increasing  complexity  and  emerging 
regulations  have  increased  the  importance  of 
security  on  all  fronts.  Despite  the  high  stakes, 
though,  Paulus  is  not  in  the  spotlight  in  the 
United  States  and  does  few  interviews.  CSO’ s 
Katherine  Walsh  recently  talked  with  him 
about  SAP’s  security  strategy  and  global  com¬ 
pliance  issues,  and  how  he  stays  on  top  of  it  all. 


CSO:  How  has  the  security  function  at  SAP 
been  transformed? 

Sachar  Paulus:  IT  security  is  mov¬ 
ing  away  from  being  mainly  driven  by  the 
IT  organization  where  the  availability  of  the 
network  and  the  information  were  top  priori¬ 
ties  in  terms  of  security.  Now,  largely  due  to 
compliance  requirements  like  Sarbanes-Oxley, 
integrity  of  information  and  confidentiality  is 
more  relevant  and  important.  From  a  product 
perspective,  security  is  a  little  more  difficult. 
Years  ago  at  SAP  we  had  ways  of  managing 
complex  authorizations  for  complex  business 
systems.  That’s  something  that  requires 
additional  expertise  beyond  the  ERP  system 
itself.  There  were  few  companies  under  the  IT 
security  label  with  that  kind  of  expertise,  but 
there  was  no  big  demand  for  it.  Now  there  is 
more  demand  to  prevent  critical  combinations 
of  authorization  for  the  same  people. 

What’s  the  regulatory  landscape? 

As  a  multinational  company  selling 
software  all  over  the  world,  we  have 
to  deal  with  many  different  regula¬ 
tions.  Sometimes  you  may  have 
conflicting  legal  requirements  to 
fulfill  in  different  areas  of  the  world. 
For  example,  in  the  United  States 
you  may  need  to  control  the  con¬ 
tent  of  the  e-mail  of  employees 
to  meet  compliance  regulations, 
but  if  you  do  this  in  Europe,  you 
would  be  violating  privacy  laws. 
So  you  have  to  make  a  business 
decision  about  which  is  less  risky 
for  the  company  overall. 


How  do  you  reconcile  those 
differences? 

We  have  decided  to  go  for  a  global  security 
policy,  with  a  globally  uniform  requirement. 
Additional,  stronger  requirements  could 
be  put  in  place  by  a  local  subsid¬ 
iary.  We  use  a  “least  common 
denominator”  framework  for 
the  overall  organization 


and  more  stringent  regulations  in  the  indi¬ 
vidual  countries.  We  have  similar  rules  for  the 
product  organization.  When  a  product  goes  out 
into  the  different  countries  for  sale,  we  make 
sure  additional  requirements  for  the  local 
markets  are  reflected  in  the  product,  whether 
that  be  specific  add-ons  or  restrictions. 

What  are  some  of  the  biggest  ERP  security 
threats? 

The  biggest  risk  is  the  insider  threat- 
people  who  have  access  to  the  system  who 
are  using  it  in  the  wrong  way  or  with  the 
wrong  authorizations,  and  there  is  not  enough 
control  installed  within  the  company.  The 
other  threat  comes  from  people  connect¬ 
ing  their  ERP  systems  to  the  Internet,  either 
to  extend  the  supply  chain  support  of  the 
system  or  to  expose  specific  functionalities  in 
order  to  make  life  easier  for  the  employees. 
The  problem  with  this  is  that  the  classical, 
well-understood  Internet  threats  are  often 
not  understood  by  the  ERP  people.  They  don’t 
think  about  threats  like  cross-site  scripting. 
Viruses  or  worms  using  the  ERP  platform  may 
come  into  play,  and  they  don’t  sufficiently 
understand  the  importance  of  security 
patches.  The  organization  needs  to  bring 
together  people  who  understand  ERP  security, 
and  people  who  understand  Internet,  e-mail 
and  Web  services  security. 

How  often  do  you  assess  the  security  of 
your  software? 

We  do  that  on  a  regular  basis.  We  employ  four, 
five  or  sometimes  six  providers  of  assessment 
specialists  for  security  of  products.  We  first 
look  at  things  like  internal  runtime  so  we  can 
make  sure  there  is  no  buffer  overflow.  We  also 
test  authorization  management,  and  in  the 
last  few  years  we  have  started  to  mostly  look 
into  Web  vulnerabilities. 

How  does  security  in  a  SAP  environment 
differ  from  other  business  environments? 

The  difference  with  ERP  is  that  the  size  of  the 
bucket  becomes  much  larger.  When  you  have 
access  to  a  system  that  size,  security  becomes 
more  critical.  But  major  security  concerns¬ 
like  attack  vectors  and  the  difficulty  of  raising 
employee  awareness,  the  completeness  of 
the  controls,  the  maturity  of  the  IT  security 
methods  and  technologies-they  are  all  very 
much  the  same. 

-Katherine  Walsh 


February  2008  www.csoonline.com  21 


COVER  STORY  I  DOCUMENT  SECURITY 


Learn  how  your  sensitive  records  can 
get  from  dank,  dusty  basement  to 
cavernous,  temperature-controlled 
storage  facility  without  incident. 
Rule  number  one:  Don't  think! 

By  Scott  Berinato 

22  www.csonnline.com  February  2008  Photography  by  Webb  Chappell 


VMAWKfRj 


H 


U\SV.N 


,ht> 


gtijtuHuSgS 

fiTOSsHRBmtiU  »«*«?«* 

imlil 

i  § 

jkcl-ftsa  -  | 

l 

\bz-. 

COVER  STORY  |  DOCUMENT  SECURITY 


LET’S  MOVE  SOME  VALU¬ 
ABLE  DOCUMENTS.  Ora 
box  of  them.  Maybe  it’s 
proprietary  research  on  a 
new  drug.  Maybe  it’s  the 
confidential  testimony  of 
an  athlete  in  a  steroids 


investigation.  Maybe  it’s  the  personal 
documents  of  a  recently  deceased, 
celebrated  author.  Who  knows?  The  point 
is,  if  the  cliche  is  true  that  information 
is  currency,  or  even  more  valuable  than 
currency,  then  when  we  move  it  around,  it 
must  be  secured  like  money.  Maybe  better 
than  that. 

To  understand  both  the  risks  and 
the  security  used  all  along  the  chain  of 
custody,  we  visited  with  Joe  DeSalvo,  the 
head  of  security  for  information  handling 
company  Iron  Mountain.  DeSalvo  will  be 
the  first  to  tell  you  that,  no  matter  what 
security  you  put  in  place,  incidents  can 
happen.  Indeed,  this  past  fall,  Iron  Moun¬ 
tain  suffered  an  incident  in  which  personal 
data  of  financial  aid  applicants  and  their 
parents  was  lost  due  to  an  employee  error. 
Prior  to  DeSalvo’s  arrival,  Iron  Mountain 
suffered  some  other  high-profile  losses  of 
backup  tapes. 

DeSalvo  was  brought  in  to  reduce  such 
incidents  to  as  close  to  zero  as  possible. 

For  the  past  16  months  he’s  been  creating  a 
security  program  to  that  end.  The  program 
is  a  smooth  blend  of  training,  automation 
and  technological  innovation. 

One  of  the  principles  behind  DeSalvo’s 
program  is,  surprisingly,  to  reduce  think¬ 
ing.  It  seems  counterintuitive,  but  it  points 
to  the  difference  between  evaluating  risk 
and  incident  response.  The  former  is  all 
about  thinking,  and  conjuring  up  scenarios. 
The  latter,  though,  is  a  rigid  response 
protocol  based  on  that  previous  thinking. 
And  the  more  the  risks  can  be  thought 
about  beforehand,  the  less  thinking  will 
be  required  in  the  event  that  an  incident 
occurs. 


WHERE 

Central  Massachusetts 

SIZE 

650,000  square  feet,  72  feet  tall 

STORAGE 

VOLUME 

8  million  cubic  feet 

SHELVING 

35  linear  miles 

EMPLOYEES 

100,  usually  50  working  at  a  time 

ACTIVITY 

25  drivers,  each  handling  1,200 
transactions  per  day;  5,000  inbound 
boxes  per  day;  50,000  cubic  feet  of 
documents  stored  per  month;  15,000 
cubic  feet  of  documents  destroyed  per 
month 

STORAGE^ 

COSTS 

18-19  cents  pec  cubic  foot 

s 


24  www.csoonline.com  February  2008 


“We’re  trying  to  eliminate  think 
points,"  he  says.  “We  don’t  want  people  to 
have  to  make  decisions.”  In  other  words, 
the  more  that  technology  and  process 
can  dictate  what  the  person  transferring 
documents  should  do,  the  more  DeSalvo 
can  reduce  the  risk  of  human  error,  which 
is,  in  the  end,  the  biggest  pool  of  risk  to 
navigate  in  chain-of-custody  scenarios. 
Drivers  shouldn’t  even  have  to  think  about 
whether  they  left  a  door  open.  So,  if  they 
did,  an  alarm  would  sound  and  the  truck 
wouldn't  start.  Period. 

On  the  other  hand,  DeSalvo  also  wants 
his  drivers  to  be  aware  of  their  environ¬ 
ment.  Every  pickup  spot  brings  both 
predictable  and  unpredictable  risks  that 
the  driver  must  be  aware  of  and  know 
how  to  handle.  Drivers  on  a  busy,  one-way 
city  street,  for  example,  know  they  need 
to  understand  their  parking  options  and 
to  look  for  suspicious  loiterers,  while 
the  driver  pulling  into  an  office  park 
understands  that  companies  other  than  his 
client,  perhaps  competitors,  might  share 
that  space. 

What’s  more,  other  threats  must 
be  addressed,  some  as  simple  as  wind 
blowing  open  a  box  and  scattering  paper. 
“Routine  things  present  great  challenges,” 
says  DeSalvo. 

DeSalvo  offered  an  inside  look  at  the 
entire  chain  of  custody,  from  pickup  point, 
to  the  truck  itself,  to  the  massive  storage 
facility  where  many  of  these  documents 
end  up.  Read  on  to  learn  about  the  risks 
along  the  way  and  the  security  used  to 
offset  them. 


THE  RISK:  Weather/environment.  Drivers 
need  to  be  aware  of  their  environment. 
Anything  from  scaffolding,  wet  cement  and 
jackhammers,  to  rain  and,  yes,  wind.  Next  to  a 
lost  or  stolen  document,  a  damaged  one  is  the 
second-worst  outcome  during  transfer. 

THE  MITIGATION:  Risk  avoidance  rules  here. 

If  drivers  can  keep  their  distance  from  these 
factors,  they  do.  Sometimes  they  can’t.  Rain 
falls  everywhere,  and  wind  is  unavoidable. 
Drivers  have  had  to  dodge  blocks  of  snow 
falling  from  roofs  or  awnings.  You  might  be 
surprised  at  the  kinds  of  freak  accidents  that 
could  damage  documents.  Drivers  are  trained 
to  be  aware  of  all  these  elements.  In  addition, 
they  are  given  tools  to  protect  documents 
from  the  elements:  straps  to  secure  boxes 
from  the  wind  and  covers  to  protect  them  from 
the  rain. 


THE  RISK:  The  client.  DeSalvo  notes  that 
clients  themselves  can  be  careless  with  docu¬ 
ments,  leaving  them  in  unguarded  hallways  or 
with  other  boxes  of  documents  such  that  it’s 
hard  for  the  driver  to  tell  which  are  the  ones 
designated  for  pickup.  Client  site  mix-ups  are  a 
major  concern  in  the  chain  of  custody. 

THE  MITIGATION:  Tricky,  because  it’s  not 
usually  good  business  to  criticize  a  client.  If 
adriver  finds  himself  wending  through  a 
basement  full  of  boxes  to  get  to  his  boxes,  he 
is  encouraged  to  “train”  the  client  in  best  prac¬ 
tices  to  ensure  a  clean  transfer,  suggesting 
where  and  how  to  prepare  the  documents  and 
why  that  will  decrease  the  chances  of  a  failure. 
Additionally,  wireless  scans  of  documents’ 
receipts  are  matched  to  scans  of  work  orders 
to  increase  accuracy  of  what’s  picked  up. 


Pickup 


This  is  when  DeSalvo  wants 
his  drivers  thinking  the 
most.  Every  pickup  point  has 
many  risks  to  consider. 


The  Site 

THE  RISK:  Parking.  In  cities  like  New  York, 
says  DeSalvo,  this  is  a  major  concern.  Not  only 
can  it  wreak  havoc  with  schedules  if  a  driver  is 
parked  in  or  simply  can’t  find  a  parking  spot, 
but  it  also  might  force  him  to  park  farther 
away.  That  increases  the  time  that  documents 
are  exposed  to  accidents  or  smash-and-grab 
heists  during  transfer  from  the  client  site  to 
the  truck. 

THE  MITIGATION:  Drivers  are  trained  to  know 
how  far  away  they  can  park  and  often  gather 
intelligence,  making  notes  of  the  best  spots 
and  times  to  make  transfers  for  regular  clients. 
In  some  cases,  says  DeSalvo,  in  places  like  New 
York,  pickups  are  scheduled  for  4  a.m.  to  avoid 
traffic  and  parking  concerns. 


THE  RISK:  Suspicious  loiterers.  This  heist  risk 
is  different  and  more  limited  than  transferring 
money.  Money  is  valuable  to  anyone,  whereas 
documents  are  not.  Still,  corporate  espionage 
is  serious  business,  and  depending  on  the 
documents’  value,  it  needs  to  be  addressed. 
THE  MITIGATION:  The  best  way  to  mitigate 
this  risk  is  to  make  it  difficult  for  strangers  to 
interrupt  the  pickup  process.  Drivers  are  also 
trained  in  looking  for  suspicious  characters 
and  have  highly  detailed  procedures  to  follow 
in  the  event  of  a  confrontation. 


Photo  top  right  by  iStockPhoto 


February  2008  www.csoonline.com  25 


A  IRON  MOUNTAIN 
secureshreddinc 

world’s  information. 
1-800-899-IRON 

WWW.IBONMOUNTAIN.COM 


MBUHi 


COVER  STORY  I  DOCUMENT  SECURITY 


Transfer 

Here,  the  technology  takes  over, 
and  “think  points”  are  drastically 
reduced.  DeSalvo  is  trying  to  make 
his  trucks  as  foolproof  as  possible. 

The  Truck  (a) 

THE  RISK:  Unsecured  vehicle.  Since  docu¬ 
ments  from  many  pickups  are  in  the  vehicle, 
it  is  at  its  most  vulnerable  when  the  driver  is 
inside  a  building  procuring  the  current  docu¬ 
ments.  The  biggest  risks  are  having  documents 
easily  taken  out  of  the  truck  or  having  the 
truck  itself  stolen.  Damage  to  the  truck  either 
through  weather  or  vandalism  is  also  a  concern. 
THE  MITIGATION:  DeSalvo  uses  an  entire 
portfolio  of  devices  and  techniques  to  prevent 
this  risk  from  becoming  an  event.  Included: 

■  Dual-key  ignition  (b).  Without  the  second 
factor  of  authentication,  the  vehicle  will 
not  start.  If  the  truck’s  cargo  area  is  not 
secure,  the  vehicle  won’t  start. 

■  Alarms,  including  a  proximity  alarm  that 
sounds  if  a  driver  moves  a  certain  distance 
away  from  an  unsecured  vehicle,  and  time- 
control  alarms,  which  sound  if  something  is 
unsecured  for  a  specified  amount  of  time. 

■  Smart  latch  (c).  The  backdoor  latch  is 
weighted  and  designed  to  be  incapable  of 
getting  stuck  between  locked  and  unlocked, 
preventing  the  truck  from  being  acciden¬ 
tally  left  open. 

■  The  black  box  (d),  an  electronic  brain  fixed 
to  the  truck,  controls  alarms,  differentiates 
their  sound,  time-controls  door  locks  and 
records  alarm  events,  among  other  tasks. 

The  Driver  (e) 

THE  RISK:  Drivers  present  two  risks.  The 
smaller  risk  is  malfeasance-a  driver  purposely 
exploiting  the  information  he’s  charged  with 
transferring.  The  larger  risk  is  the  biggest  one 
to  address:  human  error,  including  losing  or 
damaging  boxes  of  documents,  or  allowing 
documents  to  be  lost  or  stolen  from  the  vehicle. 
THE  MITIGATION:  Process,  not  technology,  is 
central  to  this  part  of  DeSalvo’s  risk  program. 

It  costs  more  for  a  job  that  may  otherwise  be 
handled  by  low-wage  drivers  not  trained  in 
document  handling,  but  the  premium  is  offset 
by  the  risk  reduction.  What’s  included  to  limit 
the  risk  of  employee  error: 
n  Background  checks.  Deep  research  to  limit 
chances  a  bad  apple  is  hired. 


Intense  training,  which  ingrains  proper 
document  handlingtechniques  in  drivers’ 
heads  so  they  can  perform  their  jobs  with¬ 
out  even  thinking. 

Ignorance  of  documents  being  handled; 
drivers  are  not  allowed  to  know  details 
about  what  they’re  transferring.  In  this 
way,  a  bad  actor  can’t  determine  what’s 
worth  stealing,  and  well-meaning  drivers 
won’t  be  able  to  make  value  judgments 
about  what  they’re  handling  and  thus 
subconsciously  treat  one  transfer  as  less 
important  than  another.  The  lack  of  knowl¬ 
edge  means  every  document  pickup  could 
include  an  original  copy  of  the  Constitution 
and  must  be  treated  that  way. 

Empty  cabs.  Drivers  are  forbidden  from 
putting  any  documents  in  the  cabs  of  their 
trucks,  ever,  for  any  reason.  This  avoids  a 
smash-and-grab  problem  and  also  protects 
the  driver  from  liability  for  a  lost  document 


26  www.csoonline.com  February  2008 


(or  implicates  him  if  he  doesn’t  follow 
procedure). 

■  Capture  and  transmission  of  transaction 
data.  Drivers  must  reconcile  codes  on 
documents  with  codes  stored  in  the  inven¬ 
tory  system  at  the  home  office  before  a  job 
is  complete.  If  documents  expected  to  be 
picked  up  aren’t  scanned  or  if  the  driver 
doesn’t  get  a  signature  from  the  customer, 
his  wireless  scanner  alerts  him  that  the  job 
is  not  done. 

Drop-Off 

The  final  point  of  risk  is  the 
storage  facility  itself,  where 
the  documents  go  to  live  until 
they're  needed  or  they  reach  their 
predetermined  age  of  destruction. 
Proprietary  inventory  software 
tells  floor  workers  where  the 
documents  should  be  stored. 

The  Facility  (f) 

THE  RISK:  Employee  theft  of  documents 

THE  MITIGATION: 

■  Ignorance.  Again,  employees  know  only  the 
metadata  about  documents  and  not  what 
the  documents  themselves  contain. 

■  Surveillance.  Cameras  and  motion  detec¬ 
tion,  including  perimeter  sensors  and 
sensors  in  96-square-inch  HVAC  ducts  (for 
detecting  animals).  All  entrance  and  egress 
points  are  alarmed,  including  roof  hatches, 
and  glass  has  break  sensors.  DeSalvo 
declined  to  put  cameras  at  the  truck  bay 
because  this  spot  had  been  shown  to  be 
low  risk.  It’s  out  in  the  open  and  docu¬ 
ments  stay  there  only  temporarily.  DeSalvo 
thought  it  high  cost,  low  benefit.  This  deci¬ 
sion  may  be  revisited. 

THE  RISK:  Fire.  At  this  facility,  in  central 
Massachusetts,  fire  is  the  highest  risk  to  docu¬ 
ments.  Obviously,  fire  damages  or  destroys 
paper,  but  even  a  small  fire  that  sets  off  sprin¬ 
klers  can  create  water  damage. 

THE  MITIGATION:  Early-warning  fire  and 
smoke  detection  and  fire  suppression.  Notable 
are  the  “transverse  flue  sprinklers”  that  can 
suppress  fires  inside  the  narrow  gaps  between 
shelves.  ■ 


Executive  Editor  Scott  Berinato  can  be  reached 
at  sberinato@cxo.com. 

February  2008  www.csoonline.com  *7 


ANTIVIRUS 


BY  MICHAEL  FITZGERALD 

ANTIVIRUS  SOFTWARE  MAKES  Greg  Shipley  so  mad  he  has  to  laugh. 
“The  relationship  between  signature-based  antivirus  companies  and  the  virus 
writers  is  almost  comical— one  releases  something  and  then  the  other  reacts, 
and  they  go  back  and  forth.  It’s  a  silly  little  arms  race  that  has  no  end.” 

Shipley,  CTO  at  Neohapsis,  a  security  consultancy  in  Chicago,  says  the 
worst  part  is  that  the  arms  race  isn’t  helpful  either  to  him  or  his  clients.  “I  want 
to  get  off  of  signature-based  antivirus  as  rapidly  as  possible.  I  think  it’s  a  bro¬ 
ken  model  and  I  think  it’s  an  incredible  CPU  hog.” 

The  question  is,  where  should  he  go?  Antivirus  as  an  industry  has  mod¬ 
eled  itself  on  the  human  immune  system,  which  slaps  a  label  on  things  like 
viruses  so  it  knows  to  attack  them  when  it  sees  that  same  label,  or  signature, 
again.  Signature-based  antivirus  has  moved  well  beyond  that  simple  type  of 
signature  usage  (though  at  the  beginning,  it  did  look  for  specific  lines  of  code). 
In  its  current,  more  sophisticated  form,  it  dominates  the  market  for  security 
software,  despite  some  obvious  limitations:  You  don’t  use  it  to  stop  data  leak¬ 
age,  for  instance,  though  many  kinds  of  malware  are  designed  to  siphon  data 


As  signatures 
proliferate, 
antivirus  vendors 
must  ramp  up 
other  techniques 
for  spotting 
and  squashing 
malware 


Illustration  by  Kevin  O'Keefe 


February  2008  www.csoonline.com  29 


ANTIVIRUS 


out  of  companies.  The  number  of  malware 
signatures  tracked  by  security  software 
company  F-Secure  doubled  in  2007,  and 
while  you  might  cynically  expect  such  a 
company  to  say  there’s  more  malware  out 
there,  2007’s  total  doubled  the  number  of 
signatures  F-Secure  had  built  up  over  the 
previous  20  years. 

Even  before  2007,  there  were  plenty  of 
people  besides  Shipley  arguing  that  antivi¬ 
rus  was  an  industry  in  trouble.  In  fact,  in 
2006,  Robin  Bloor,  an  analyst  at  Hurwitz 
&  Associates,  penned  a  report  titled  “Anti¬ 
virus  is  dead.”  He  argued  that  malware 
exists  only  because  antivirus  software 
exists,  and  said  that  antivirus  software 
was  doomed  to  be  replaced  by  new  forms 
of  software,  which  he  calls  application  con¬ 
trol,  or  software  authentication  tools.  Such 
tools  whitelist  the  software  we  use  and 
won’t  run  anything  else  without  the  user’s 
explicit  permission. 

Antivirus  firms  think  their  death 
is  greatly  exaggerated,  thank  you  very 
much— even  those  that  aren’t  overly  reliant 
on  signatures,  like  BitDefender,  which  says 
that  signature-based  techniques  account  for 
only  20  percent  of  the  malware  it  catches. 

“Signatures  aren’t  dead— you  need 
them,”  says  Bogdan  Dumitru,  chief  tech¬ 
nology  officer  of  the  Romanian  firm,  which 
uses  behavioral  targeting  techniques  to  stop 
the  remainder  of  attacks.  Its  main  research 


to  limit  false  positives. 

It’s  also  true  that  antivirus  makers 
continue  to  sell  billions  of  dollars  worth 
of  software,  despite  Bloor’s  proclamation. 
Bloor,  though,  says  that  “the  technique  of 
protecting  PCs  using  virus  signatures  is 
now  on  the  wane,”  and  rattles  off  a  list  of 
whitelisting  companies  offering  software 
authentication  tools— not  just  Bit9,  but  also 
companies  such  as  Lumension  (formerly 
SecureWave),  Savant  Protection,  Com¬ 
puter  Associates  and  AppSense.  And  he 
noted  the  Kaspersky  deal  and  Apple’s  use 
of  whitelisting  to  protect  the  iPhone. 

Not  Just  Whitelisting 

Antivirus  software  has  its  uses.  If  a  system 
is  actually  infected  by  malware,  it  “may  be 
the  least  painful  way  of  removing  it,”  says 
David  Harley,  administrator  of  Avien, 
the  antivirus  information  exchange  net¬ 
work,  adding,  “Whitelisting  does  seem  to 
be  advocated  currently  as  the  panacea  du 
jour.  I  think  this  relentless  search  for  The 
Answer,  discarding  one  partially  successful 
solution  set  for  something  else  in  the  hope 
that  it  will  eliminate  the  problem,  is  actually 
unprofessional.” 

Harley  makes  that  argument  because  he 
doubts  that  any  single  technology  approach 
will  be  a  too  percent  solution  when  it  comes 
to  security.  He  wrote  that  whitelisting 
thus  is  likely  a  supplemental  technology 


to  break  it  down  himself  to  understand  its 
potential  effects,  rather  than  to  wait  for  his 
vendor  to  give  him  an  update.  His  firm  has 
also  adopted  tools  that  use  heuristics  tech¬ 
niques  and  anomaly  testing,  to  add  oomph 
to  its  antivirus  approach. 

That  kind  of  layered  approach  to  soft¬ 
ware  fits  with  where  Natalie  Lambert,  an 
analyst  at  Forrester  Research,  thinks  the 
market  is  going.  She  says  that  signature- 
based  antivirus  is  “table  stakes”  for  secu¬ 
rity  software,  and  techniques  like  heuristic 
information  processing  systems,  or  HIPS, 
which  looks  for  suspicious  actions  by  soft¬ 
ware,  like  an  application  opening  itself  from 
the  Temp  folder. 

Lambert  says  McAfee  is  probably  fur¬ 
thest  along  in  using  HIPS  among  the  big 
antivirus  makers,  having  had  more  time 
than  its  rivals  to  new  features  added  via 
corporate  acquisitions. 

The  downside  to  these  technologies  is 
that  none  are  as  simple  and  alluring  as  the 
old  signature-based  antivirus,  which  she 
called  a  “set  it  and  forget  it”  technology.  She 
notes  that  HIPS  technologies  are  difficult  to 
manage  and  will  never  be  as  simple  as  the 
old  model,  though  she  expects  they  will  get 
easier  over  time. 

Neohapsis’s  Shipley  says  none  of  these 
techniques  are  really  new— he  notes  that 
it’s  been  more  than  four  years  since  McAfee 
purchased  Entercept,  for  instance.  But 


‘If  you  rely  on  signatures  for 
security,  you’re  pretty  much  dead 
in  the  water.” 


-KEN  PFEIL,  DIRECTOR  AND  HEAD  OF  INFORMATION 
SECURITY  FOR  THE  AMERICAS  REGION  OF  WestLB 


focus  is  to  develop  an  “undo”  feature  that 
will  let  users  hit  by  malware  reverse  its 
effects.  BitDefender  hopes  to  release  this 
feature  in  2008. 

Meanwhile,  Bit9,  the  application  white¬ 
listing  company  highlighted  in  Bloor’s 
report,  uses  antivirus  software  to  help 
build  its  database— 22  kinds  of  antivirus 
software,  in  fact.  In  November  2007,  it 
announced  a  deal  to  give  access  to  this  data¬ 
base  to  security  software  maker  Kaspersky 
Labs.  Bit9  officials  said  that  the  database 
will  help  Kaspersky  check  new  signatures 


for  fighting  malware,  making  it  one  of  a 
host  of  newer  technologies  that  have  been 
adopted,  including  heuristics,  sandboxing 
and  behavior  monitoring. 

Corporate  CISOs  certainly  don’t  expect 
to  find  one  answer  to  their  problems.  “If 
you  rely  on  signatures  for  security,  you’re 
pretty  much  dead  in  the  water,”  says  Ken 
Pfeil,  head  of  information  security  for  the 
Americas  Region  of  WestLB,  a  German 
bank.  Pfeil  thinks  signatures  are  useful 
and  his  firm  uses  them.  But  when  new  mal¬ 
ware  appears,  he  often  finds  it  faster  to  try 


“what  role  does  it  play  and  what  percent¬ 
age  of  things  does  it  stop?  I  have  no  visibil¬ 
ity  into  that.”  Shipley  says  he  plans  to  bring 
in  Bit9  to  look  at  whether  it  could  really 
replace  his  current  antivirus  software. 

Antivirus  firms  agree  that  they  are 
becoming  something  different. 

Sophos,  for  instance,  uses  several  addi¬ 
tions  to  signature-based  AV.  Sophos  exam¬ 
ines  program  behavior— the  modifications 
a  program  makes  to  things  like  system  con¬ 
figuration  and  files  as  the  program  runs. 
The  company  has  also  built  in  a  preexecu- 


30  www.csoonline.com  February  2008 


tion  algorithm,  a  kind  of  crystal  ball  to  sim¬ 
ulate  what  unfamiliar  code  looks  likely  to 
do.  Richard  Wang,  manager  of  Sophos  Labs 
in  the  U.S.,  says  that  while  signatures  are 
easy  to  create,  things  like  preexecution  code 
are  harder  and  thus  take  more  time.  But  the 
payoff  is  that  it  can  work  against  multiple 
strains  of  malicious  software.  He  said  that 
for  the  Storm  worm,  Sophos  generated  only 
one  signature  but  has  been  able  to  recognize 
all  the  variants.  Wang  describes  this  type  of 
technique  as  “almost  like  a  broad-spectrum 
antibiotic.” 

Child’s  Play? 

Interestingly,  the  OLPC  XO  (from  the  One 
Laptop  Per  Child  Foundation)  is  another 
place  to  look  at  new  AV  techniques.  The  XO 
uses  the  Bitfrost  specification,  developed 
expressly  for  this  simple  computer.  OLPC 
claims  that  the  system  “is  both  drastically 
more  secure  and  provides  drastically  more 
usable  security  than  any  mainstream  sys¬ 
tem  currently  on  the  market.” 

The  OLPC  XO  ships  in  a  default  mode 
that  is  basically  locked  down  but  simple  for 
the  user  to  open  up.  The  Bitfrost  specifica¬ 
tion  uses  a  series  of  built-in  protections, 
including  sandboxes  or  program  jails  for 
applications  and  system-level  protections 
that  prevent  alterations  from  code  that 
could  do  something  harmful. 

Whether  Bitfrost  would  work  in  a  cor¬ 
porate  environment  or  will  be  commercial¬ 
ized  outside  the  OLPC  project  is  unclear. 
But  Avien’s  Harley,  for  one,  thinks  that 
there  are  psychological  reasons  why  anti¬ 
virus  software  is  unlikely  to  go  away. 

“The  idea  of  a  solution  that  stops  real 
threats  and  doesn’t  hamper  nonmalicious 
objects  and  processes  is  very  attractive. 
People  (at  any  rate,  those  who  aren’t  secu¬ 
rity  specialists)  like  the  idea  of  threat-spe¬ 
cific  software  as  long  it  catches  all  incoming 
malware  and  doesn’t  generate  any  false 
positives,  because  then  they  can  just  install 
it  and  forget  about  it.  Unfortunately,  that’s 
an  unattainable  ideal.” 

Note  to  Greg  Shipley:  Don’t  hold  your 
breath  on  getting  rid  of  your  antivirus 
software.  ■ 


Michael  Fitzgerald  is  a  freelance  writer  based 
outside  of  Boston.  Send  feedback  to  Editor 
Derek  Slater  at  dslater@cxo.com. 


Why  some  classic  viruses  may  be  back  to 
haunt  a  corporate  network  near  you 


The  ghosts  of  viruses  past  are  never  far  away.  Recently,  a  German  computer 
manufacturer  discovered  it  was  shipping  PCs  that  contained  a  variant  of  the 
Stoned  virus  called  Angelina-a  15-year-old  boot  sector  virus.  Over  the  last 
year,  there  has  been  a  resurgence  of  file  infector,  or  parasitic,  viruses  as  well: 
Not  too  long  ago,  W32/Virut  began  infecting  .exe  and  .scr  files,  causing  significant 
damage  to  a  number  of  computer  systems. 

"Over  the  last  six  months,  we’ve  seen  some  nasty  parasitic  infectors  and  old- 
school  destructive  viruses,”  says  Dave  Marcus,  security  research  and  communica¬ 
tions  manager  at  McAfee.  While  such  viruses  account  for  only  10  percent  of  all  the 

malware  that  exists,  static 
malware  like  bots  and  Trojans 
are  still  far  more  common. 
Recycled  threats  are  on  the 
radar  of  the  major  antivirus 
vendors,  Marcus  says. 

“Our  view  is  that  viruses 
will  always  be  lurking  in  your 
desk  drawer,  maybe  getting 
dusty,  but  one  day  they  will 
catch  up,”  says  Graham 
Cluley,  a  senior  technology 
consultant  at  Sophos.  That 
is  why  the  antivirus  vendor 
never  delists  virus  signatures 
from  its  products.  “There 
is  a  lag  time  between  when 
viruses  are  detected  and 
when  they  actually  become 
extinct,”  says  Robert  Free¬ 
man,  team  lead,  X-Force 
Protection  Technologies, 
part  of  IBM  Internet  Security 
Systems  (ISS).  “And  due  to  Internet  connectivity,  many  [viruses]  that  really  shouldn’t 
be  prevalent  are  not  yet  extinct.”  That's  because  today,  many  viruses  of  old  can  repli¬ 
cate  through  e-mail  or  peer  to  peer-technologies  that  were  not  as  prolific  in  the  age 
of  floppy  disks. 

Marcus  says  that  the  choice  to  remove  certain  virus  signatures  is  dependent 
on  a  few  factors.  “There  is  such  a  cyclical  nature  to  malware  that  we  don’t  like  to 
completely  remove  the  capabilities  to  deal  with  them.  We  may  disable  some  based 
on  the  fact  that  most  operating  systems  no  longer  utilize  the  old  functions  those 
viruses  require.  However,  we  try  and  leave  them  in  the  collection  database,  but 
consider  downgrading  their  need.”  Cluley  says  the  practice  of  determining  which 
viruses  can  be  removed  from  the  database  is  often  more  effort  than  it’s  worth.  If  a 
vendor  does  decide  to  delist  something,  it’s  usually  due  to  performance  issues,  says 
Cluley.  “Rather  than  spend  nine  months  redesigning  their  antivirus,  the  simpler  fix 
is  to  reduce  the  amount  of  malware  it  addresses  until  they’re  ready  with  their  new 
engine.” 

ISS  points  to  behavioral  and  heuristic  techniques  (see  accompanying  story)  as 
perhaps  better  ways  to  solve  the  problem  of  polymorphic  malware.  That  way,  ghosts 
like  Angelina  won’t  be  so  easy  to  recycle  once  their  signatures  become  too  old  to 
recognize.  -Katherine  Walsh 


OLD  SCHOOL 


Photo  by  Getty  Images 


February  2008  www.csoonline.com  31 


LEADERSHIP 


Howto 
Communicate 
With  Your  CEO 
About  Security 


Former  Sharper 
Image  CEO  Richard 
Thalheimerand 
CSO  Joe  Williams 
talk  about  how  a 
close  reporting 
relationship  helped 
them  reduce  fraud 
and  prioritize 
risks  during  their 


wwiv.csoonline.com  February  2008 


fesajMitiaiiiM 


FIRE 

EXTINGUISHER 


HOW  DOES  A  CSO earn 
the  trust  of  his  CEO? 

Keep  the  security  depart¬ 
ment  operating  within 
its  budget,  focus  on  the 
biggest  problems  and  keep  the  lines  of 
communication  open.  Those  are  the  key 
lessons  Richard  Thalheimer,  founder  and 
former  CEO  of  Sharper  Image,  and  his  for¬ 
mer  CSO  Joe  Williams  learned  during  the 
years  they  worked  together  at  the  retailer 
known  for  pricey  gadgets. 

Thalheimer  left  Sharper  Image  in  Sep¬ 
tember  2006  amid  sagging  profits  and  Wil¬ 
liams  left  shortly  thereafter.  During  their 
time  together,  however,  they  enjoyed  one 
of  corporate  America’s  most  successful 
CEO/CSO  partnerships— one  that  helped 
them  reduce  fraud  and  shrinkage  and  led 
to  such  mutual  trust  that  the  two,  both 
pilots,  now  share  a  small  airplane.  They 
spoke  with  CSO  about  how  they  used  that , 
relationship  to  shape  security  strategy  and 
prioritize  risks,  and  why  their  friendship 
is  still  going  strong. 

CSO:  Which  came  first,  your  business 
relationship  or  your  friendship? 

Joe  Williams,  former  CSO,  Sharper 
Image:  We  didn’t  know  each  other  prior 
to  working  together.  I  started  working 
for  Sharper  Image  in  1985,  and  we  began 
working  more  closely  together  over  the 
years.  At  some  point  fairly  early  on,  we 
started  our  direct  reporting  relationship. 
We  became  very  close  in  the  business 
aspect  because  of  that.  I  think  we  both 
realized  early  that  clear  communication, 
going  all  the  way  to  the  top,  was  the  best 
way  to  have  the  organization  set  up.  That 
way,  Richard  knew  exactly  what  was  going 
on  at  his  company  in  all  areas,  rather  than 
having  some  things  shielded.  After  that 
relationship  developed,  we  realized  we 
had  a  lot  of  common  interests  outside  of 
that,  whether  it  was  flying,  motorcycles 
or  cars. 

CSO:  The  two  of  you  share  a  small 


plane;  tell  me  about  that. 

Richard  Thalheimer:  It  was  originally 
a  business  thing:  We  had  certain  store 
locations  that  were  difficult  to  get  to  on 
commercial  jets,  like  Fresno,  Calif.,  or 
Scottsdale,  Ariz.  We’ve  had  a  couple  differ¬ 
ent  planes  over  the  years,  a  Bonanza  and 
a  Cessna  among  them.  It  was  easier  to  use 
our  little  plane  to  visit  those  stores.  Those 
experiences  made  us  closer  too.  When  you 
fly  around  in  a  small  plane  that  consists  of 
four  seats  and  a  propeller,  just  by  being  in 
that  space  for  hours  at  a  time  with  some¬ 
one,  you  become  better  acquaintances. 

CSO:  How  did  you  prioritize  the  risks 
facing  Sharper  Image? 

Williams:  We  evaluated 
risk  based  on  where  the  big¬ 
gest  potential  loss  was.  Credit 
card  fraud  was  important  to 
stay  on  top  of  daily.  Shrink¬ 
age  could  also  add  up  quickly. 
Retail  loss  prevention  is  much 
like  Whack- a-mole.  Problems 
pop  up  in  one  hole,  and  once 
you’ve  solved  that,  it  pops  up  somewhere 
else.  That’s  what  you’re  doing,  especially 
when  you  have  a  lot  of  stores.  One  of  the 
best  things  you  can  do  is  to  prioritize 
what’s  going  on  that  day. 

Thalheimer:  In  our  business,  we  found 
that  more  losses  occurred  internally  than 
from  credit  card  fraud  online.  There  is  a 
temptation  to  embezzle  products.  A  lot 
of  our  work  was  involved  with  managing 
and  motivating  our  own  people  to  not  be 
tempted. 

CSO:  How  did  you  make  decisions 
about  whether  to  report  a  crime  or  pursue 
a  criminal?  When  did  you  expect  Joe  to  call 
and  tell  you  about  a  problem? 

Thalheimer:  It  would  depend  on  what 
it  was  or  who  it  involved.  If  it  involved  cus¬ 
tomers  or  store  personnel  at  a  lower  level, 
often  I  wouldn’t  hear  about  it,  particularly 
if  the  stock  clerk  was  being  arrested  in 
Tennessee  or  something  like  that.  But  if  it 


Richard  Thalheimer  (L): 
“Joe  solves  problems- 
he  doesn't  create  them.” 


Photography  by  Andy  Freeberg 


February  2008  www.csoonline.ccm  33! 


LEADERSHIP 


was  some  sort  of  fraud  or  embezzlement, 
I’d  want  to  know  that,  because  those  are 
people  that  are  either  directly  or  indirect¬ 
ly  reporting  to  me.  In  general,  seeing  that 
the  CSO  is  able  to  maintain  his  loyalty  to 
the  CEO  and  bring  things  to  that  person’s 
attention  without  any  attempt  to  cover 
it  up  builds  a  much  stronger  bond  over 
time. 

CSO:  Was  it  ever  hard  to  understand 


you  think  those  things  could  have  been 
achieved  without  the  relationship  the  two 
of  you  have? 

Williams:  No,  I  don’t.  Many  people 
knew  of  my  direct  relationship  with  Rich¬ 
ard  and  knew  I  had  his  support  and  back¬ 
ing,  and  it  carried  a  lot  of  weight  with  my 
staff.  So  when  I  went  to  enforce  a  process 
or  procedure,  I  always  got  what  I  needed 
from  them,  as  far  as  performance  goes. 


the  ROI  of  security?  Did  you  ever  have  a 
hard  time  understanding  the  reasoning 
behind  a  request  for  security  funding? 

Thalheimer:  I  don’t  doubt  every  CEO 
goes  through  the  process  of  evaluating 
their  top  management.  But  one  observa¬ 
tion  about  the  way  Joe  ran  the  department 
is  that  it  was  always  seemingly  on  a  budget 
that  was  less  than  one  might  expect,  rather 
than  more.  His  department  did  not  waste 
money.  Once  I  recognized  that  personality 
trait  of  Joe’s,  it  was  easy  to  have  confidence 
that  whatever  expenditures  they  wanted 
to  make  were  well  worth  it.  They  were 
usually  under  budget  rather  than  over. 

CSO:  You  had  some  great  successes  on 
the  security  front.  In  2004,  Sharper  Image 
prevented  $13  million  in  merchandise  from 
leaving  the  company,  and  chargebacks  for 
Internet  and  telephone  orders  were  0.33 
percent,  which  is  low  for  the  industry.  Do 


“Seeing  that  the  CSO... 
brings  things  to 
the  CEO’s  attention 
without  any  attempt 
to  cover  them  up 
builds  a  stronger 
bond  over  time.” 

-RICHARD  THALHEIMER 

Thalheimer:  My  message  always  was 
that  I  supported  the  security  efforts,  and  I 
wouldn’t  tolerate  any  manager’s  nonre¬ 
sponsiveness  to  those  efforts.  That  mes¬ 
sage  became  very  clear  in  our  company. 

If  it  was  important  to  Joe,  it  was  impor¬ 
tant  to  me.  As  the  CEO  of  Sharper  Image 
for  30  years,  I  repeatedly  gave  the  mes¬ 


sage  that  I  was  behind  our  security  officer. 

CSO:  What  did  Joe  do  that  you  wish 
every  CSO  would  do? 

Thalheimer:  He  wasn’t  afraid  to  bring 
anything  to  my  attention.  The  CEO  needs 
to  have  the  confidence  that  the  CSO  is 
pursuing  good  choices  to  prevent  as 
many  threats  as  possible.  One  of  the  ways 
he  achieves  that  confidence  is  through 
communication. 

CSO:  And  Joe,  what  did  Richard  do  that 
you  wish  every  CEO  would  do? 

Williams:  The  main  thing  was  that  I 
had  an  open  line  to  Richard.  I  knew  what 
not  to  waste  his  time  with  and  what  to  go 
to  him  on.  That  was  the  key  to  my  success 
there. 

CSO:  What  do  you  say  to  other  CSOs 
who  are  struggling  with  their  CEO  rela¬ 
tionship?  How  can  they  improve  it? 

Williams:  The  obvious  one  is  that  some 
companies  tend  to  want  to  have  the  CSO 
report  to  someone  other  than  the  CEO. 

I  don’t  understand  why  you  would  ever 
want  to  put  a  filter  between  the  top  “police 
officer”  in  the  company  and  the  president. 

I  would  assume  if  the  head  of  the  FBI 
thought  he  had  a  serious  problem  he  could 
call  the  president  and  tell  him.  The  CSO 
also  needs  to  be  involved  in  more  than 
just  the  security  function.  You  have  to  be 
proactive  about  fixing  problems  even  if  it’s 
not  directly  related  to  your  function.  That 
makes  you  more  valuable  to  the  company 
and  to  the  CEO. 

CSO:  If  you  had  to  choose  one  thing  that 
helped  make  your  relationship  work,  what 
would  it  be? 

Williams:  I  could  be  totally  honest 
with  Richard  about  what  was  going  on.  It 
may  not  have  been  something  he  wanted 
to  hear,  or  liked  to  hear,  but  he  wanted  to 
know  what  was  going  on.  And  I  knew  I 
didn’t  have  to  worry  about  whether  or  not 
to  tell  him  something.  There  was  open¬ 
ness,  both  ways. 

Thalheimer:  Joe  solves  problems;  he 
doesn’t  create  them.  He  is  someone  who 
can  quickly  communicate  a  problem, 
develop  a  strategy  for  solving  it  and  then 
carry  through  with  that.  That’s  an  indi¬ 
vidual  characteristic  of  him,  but  it  was  key 
to  what  made  our  relationship  work.  ■ 


Staff  Writer  Katherine  Walsh  can  be  reached 
at  kwalsh@cxo.com. 


34  www.csoonline.com  February  2008 


InterContinental  Buckhead 
Atlanta,  Georgia 
March  16-18,  2008 

Perspectives 


Becoming  the  Complete  CSO 


Security  leaders  face  no  shortage  of  challenges.  Join  CSO  magazine  for  the 
5^  annual  CSO  Perspectives  conference  and  walk  away  with  the  practical 


Don’t  miss  keynote 
presentations  from: 


information  and  skills  needed  to  help  you  perform  your  job  better. 

Meet  and  exchange  ideas  with  the  very  best  security  leaders  in  the  field, 
including  this  year’s  Compass  Award  honorees.  Every  year  the  CSO  Perspectives 
conference  brings  together  the  top  minds  in  security  for  an  unparalleled  learning 
and  networking  experience 


■Eric  O’Neill,  Associate,  DLA 
Piper;  Former  Operative, 
National  Security  Division,  FBI 
■Milton  Ahlerich, 

Vice  President,  Security,  NFL 
■Louis  Freeh, 

Former  Director,  FBI 


Topics  include: 

■  Leadership  ■  Economic  Espionage 

■  Corporate  Monitoring  ■  Strategic  and  Tactical  Breakout  Sessions 


CSO 


corporate  events 

PARTNER 


Underwriter 


Platinum 


•  1 1 1  •  1 1 1  ■ 
CISCO. 


Pncb/WerhouseQopers  i  ^  j  protegrity 


Emerging  Solution  Sponsors 


Gold 


paymetric 


Avek'sa  ^vTbridges 


Common 

Compliance 

Framework” 


N5C 


_ I 


@SailPoinf  STOHESOFT 

IDENTITY  RISK  MANAGEMENT 


APPLIED 

IDENTITY 


Avek'sa 


fishnet 

^  SECURITY 


NetVisiorr 

O  protegrity 


Reference  Priority  Code  AD  and  attend  the  full  program  for  $995 


@SailPoint 

IDENTITY  RISK  MANAGEMENT 


Register  Now;  call:  800.366.0246  ■  visit:  www.csoperspectives.com  ■  e-mail:  executiveprograms@cxo.com 


[  undercover] 

By  Anonymous 


The  Day  After  the  Deputy  CISO 
Left  Work  on  a  Gurney 

Planning  for  the  unexpected  absence  of  key  staff  members 


I  was  sitting  in  a  meeting  when  my 
assistant  rushed  in  and  whispered 
to  me  that  there  were  paramedics  in 
my  deputy  CISO’s  office.  I  excused 
myself,  and  as  I  walked  out  of  the 
conference  room,  I  saw  my  deputy  on  a  gur¬ 
ney  being  pushed  into  an  elevator  by  three 
paramedics  and  two  firefighters.  The  only 
thing  they  told  me  before  the  elevator  door 
closed  was  that  she  was  having  difficulty 
breathing  and  they  were  taking  her  to  the 
hospital. 

After  they  left,  I  realized  that  I  didn’t 
know  what  hospital  she  was  going  to  or 
what,  if  anything,  I  should  tell  her  family. 
About  five  minutes  later,  her  husband  called 
me  and  said  that  he  was  the  one  who  had 
called  the  ambulance.  They  had  been  talk¬ 
ing  on  the  telephone  when  she  began  hav¬ 
ing  medical  problems.  A  couple  of  hours 
later,  I  got  another  call  from  her  husband, 
who  said  that  although  his  wife  wasn’t  in 
critical  condition  and  would  recover,  the 
medical  staff  wasn’t  sure  when  she  would 
be  able  to  return  to  work. 

Although  I  was  relieved  to  hear  that  she 
would  recover,  I  began  thinking  about  the 
projects  she  was  working  on  and  the  peo¬ 
ple  she  was  dealing  with.  I  knew  she  was 
working  with  the  legal  folks  on  a  contract 
issue  and  with  HR  on  a  critical  personnel 
situation.  Unfortunately,  though,  I  had 
few  details  about  most  of  the  other  things 
she  was  involved  with.  We  had  a  couple  of 
pilot  projects  and  technology  reviews  with 
some  vendors,  but  I  didn’t  have  any  names 
or  numbers  for  the  people  she  was  work¬ 
ing  with.  Most  importantly,  we  were  in  the 
middle  of  our  annual  budget  development, 
and  she  had  been  working  with  several 
groups  to  gather  metrics  and  establish  new 
security  requirements  for  the  subsequent 


funding  they  would  need. 

I  had  no  idea  whom  I  should  contact  to 
cancel  meetings,  what  could  or  could  not 
be  postponed  and  if  any  of  the  negotiations 
were  at  a  critical  stage  where  I  needed  to  ele¬ 
gantly  step  in  and  take  over.  We’ve  all  heard 
the  anecdotes  about  key  people  getting  “hit 
by  a  bus”  and  disrupting  the  organization, 
but  I  was  now  looking  at  almost  that  same 


what  he  had  agreed  to  with  others.  It  began 
getting  frustrated  calls  from  some  custom¬ 
ers  wondering  what  had  happened,  and 
other  customers  even  tried  to  take  advan¬ 
tage  of  the  situation  by  making  claims  that 
they  had  been  promised  certain  things  that 
were  contrary  to  company  policy.  What’s 
more,  this  salesman  had  encrypted  all  of 
his  files,  including  his  customer  contact  list 
and  pending  sales  list. 
This  is  usually  a  smart 
move,  but  unfortunately 
for  this  vendor,  he  had 
used  an  encryption 
program  not  managed 
by  the  company,  which 
meant  there  wasn’t  a 
back-door  way  for  it  to 
get  into  his  files.  The 
company  literally  had 
to  start  all  over  with  the 
customers  in  the  area. 


scenario.  In  the  end,  it  turned  out  that  she 
was  back  to  work  sooner  than  I  first  feared, 
but  the  whole  thing  was  an  eye-opening 
experience  for  me. 

It  could  have  been  much,  much  worse, 
of  course.  A  few  months  ago,  one  of  our 
vendors  told  me  that  one  of  its  regional 
salespeople  had  died  suddenly,  and  the 
company  had  to  try  to  re-create  his  last  few 
weeks  of  work  to  determine  what  custom¬ 
ers  he  was  working  with,  what  stage  of 
talks  he  was  at  with  certain  customers  and 


Points  of  Failure 

The  day  my  deputy 
CISO  left  unexpectedly 
wasn’t  the  first  time  I 
faced  such  a  scenario. 
Several  years  ago,  one 
of  my  key  engineers  had 
a  family  medical  emergency  that  required 
him  to  move  out  of  state  for  several  months 
while  a  child  received  specialized  medi¬ 
cal  care.  During  this  time,  he  was  almost 
completely  incommunicado.  He  didn’t 
have  access  to  a  computer  because  this 
was  before  the  days  when  nearly  everyone 
had  a  laptop.  The  immediate  void  caused 
some  critical  outages  because,  although 
we  were  able  to  bring  in  someone  with  the 
technical  skills  to  cover  his  position,  he  had 
been  working  on  a  couple  of  very  technical 


36  www.csoonline.com  February  2008 


Illustration  by  Michelle  Thompson 


projects  that  only  he  had  knowledge  of.  To 
complicate  things  further,  he  had  encrypted 
a  lot  of  the  files  that  the  organization  needed 
for  daily  operations. 

Since  then,  I’ve  been  pretty  meticulous 
in  avoiding  any  single  point  of  failure  for 
my  technical  positions.  I  think  most  CSOs 
are.  But  what  about  our  leadership?  People 
sometimes  joke  that  things  might  run  more 
efficiently  without  any  managers  around, 
but  it’s  obvious  that  some  things  come  to 
an  immediate  halt  when  you  lose  key  staff. 
That’s  why  in  the  military  and  in  a  lot  of 
major  companies,  there  are  policies  for¬ 
bidding  leadership  from  traveling  together 
and— in  some  instances  where  the  political 
or  geographic  climate  is  unfriendly— even 
from  meeting  due  to  the  possibility  of  one 
disastrous  event  eliminating  or  incapacitat¬ 
ing  the  upper  hierarchy  of  an  organization. 
In  many  cases,  we  tend  to  over-rely  on  key 
personnel  with  critical  leadership  skills  or 
organizational  memory,  and  this  can  have 
a  negative  impact  on  both  the  business  and 
the  other  people  in  the  organization. 

The  reality  is  that  the  loss  or  incapacita¬ 
tion  of  key  personnel  can  result  in  organi¬ 
zational  chaos  unless  you  have  some  form 
of  plan  that  addresses  how  you  respond. 
I’m  no  doomsdayer,  but  recent  discussions 
about  the  potential  impact  of  an  avian  flu 
pandemic  are  enough  to  make  you  sit  up 
and  take  notice.  Estimates  by  the  Centers 
for  Disease  Control  show  that  an  influenza 
pandemic  could  infect  up  to  200  million 
people  and  cause  between  200,000  and  1.9 
million  deaths  in  the  United  States.  They 
also  note  that  absenteeism  of  up  to  20  per¬ 
cent  to  50  percent  from  staff,  vendors  and 
services  could  occur.  That  would  take  a  bite 
out  of  any  organization’s  productivity! 

While  my  organization  has  a  business 
continuity  plan  for  recovering  from  inter¬ 
rupted  critical  functions  after  various 
emergencies,  and  a  disaster-recovery  plan 
for  resuming  operations,  neither  of  these 
addressed  the  loss  of  key  leadership  per¬ 
sonnel  like  I  have  now  experienced.  It  may 
sound  egotistical,  but  it  quickly  became 
clear  to  me  on  that  day  that  if  either  I  or 
any  of  my  leadership  team  became  ill  or 
died,  then  the  entire  organization  would 
face  major  difficulties.  I  was  convinced  that 
without  our  corporate  knowledge  and  pro¬ 
fessional  contacts,  the  potential  organiza¬ 
tional  risks  were  too  high  to  ignore. 


Strategies  for  Coping 

We  don’t  have  the  time  or  space  here  to  go 
into  the  entire  risk  management  process  or 
details  of  business  continuity,  but  a  simple 
way  to  start  is  to  ask  your  leadership  team 
members  what  the  impact  would  be  if  they 
didn’t  show  up  for  work  tomorrow.  This 
should  lead  to  identifying  the  critical  activi¬ 
ties  performed  by  each  individual.  The  next 
step  might  be  to  detail  how  the  loss  of  each 
of  these  key  people  would  affect  those  activ¬ 
ities  and  how  the  operations  or  business 
would  be  impacted  if  the  objectives  couldn’t 
be  accomplished. 

From  a  more  formal  perspective,  there 
are  several  other  steps  you  can  take: 

Better  communication.  Having  regu¬ 
lar  communication  with  your  team  is  a 
good  way  to  stay  abreast  of  the  day-to-day 
activities  in  your  group.  We  sometimes 
become  so  dependent  on  e-mail  that  we  for¬ 
get  how  important  it  is  to  actually  talk  and 
ask  questions.  I  can’t  count  the  times  some 


nonverbal  clue  in  a  conversation  led  me  to 
ask  one  more  question  that  led  to  the  nut  of 
the  problem  or  gave  me  some  information 
that  I  didn’t  know  I  needed. 

Meetings,  bloody  meetings.  Regard¬ 
less  of  (un)conventional  wisdom  and  what 
the  (mis)informed  may  believe,  good  staff 
meetings  are  an  essential  means  of  under¬ 
standing  who  is  working  on  what  as  well  as 
what  those  important  things  are.  The  key 
word  here  is  “good.”  We’ve  all  spent  time  in 
meeting  hell.  On  the  other  hand,  well-orga¬ 
nized  meetings  can  benefit  everyone. 

One  time  I  began  to  feel  that  our  weekly 
staff  meetings  were  wasting  people’s  time 
and  that  I  could  accomplish  the  same  thing 
by  meeting  individually  with  key  staff 
members  on  a  regular  basis.  After  about 
four  weeks,  I  began  getting  comments  from 
staff  complaining  that  they  never  knew  who 
was  working  on  what  anymore  or  what  was 
going  on  and  asking  to  have  the  staff  meet¬ 


ings  reinstituted.  The  lesson  here  is  that 
there’s  a  synergy  from  getting  the  group 
together,  and  that  ability  to  share  informa¬ 
tion  is  a  significant  component  of  mitigating 
the  loss  of  key  personnel. 

KMA.  Although  I  never  want  to  be 
accused  of  being  a  micromanager,  I  also 
never  want  to  be  caught  without  critical 
information  when  I  need  it.  I  understand 
that  it’s  a  double-edged  sword,  and  the 
team  never  lets  me  forget  it.  My  mantra  to 
my  staff  is  Keep  Me  Advised  (KMA).  I  don’t 
need  to  (and  in  most  cases  don’t  want  to) 
get  involved  in  making  routine  operational 
decisions,  but  I  always  want  to  know  when 
something  unusual  is  going  on.  I  hate  get¬ 
ting  calls  from  my  boss,  a  vendor  or  a 
customer  about  an  issue  or  incident  that 
my  staff  is  working  on  that  I  don’t  know 
anything  about.  This  also  goes  with  exter¬ 
nal  conversations  that  could  potentially 
impact  our  government  customers  or  pub¬ 
lic  constituents. 


Personnel  evaluations  and  prog¬ 
ress  reports.  A  good  time  to  go  over  major 
activities  that  your  leadership  team  is 
involved  with  is  during  regular  evaluations 
or  reporting  period  reviews.  Because  this  is 
when  you  are  typically  establishing  profes¬ 
sional  goals,  it’s  the  perfect  time  to  identify 
both  the  formal  and  informal  functions 
your  people  are  working  on. 

Planning  for  the  loss  of  key  people, 
including  your  leadership  team,  is  criti¬ 
cal  to  your  continuity  of  operations.  After 
my  experience  with  my  deputy  CISO,  I’m 
even  more  of  an  advocate  of  the  old  saying, 
“The  worst  time  to  plan  for  an  emergency 
is  during  the  emergency.”  Not  only  is  it  the 
worst  time,  but  it’s  also  a  pretty  painful 
time— even  if  you’re  not  the  one  who  leaves 
the  office  on  a  gurney.  ■ 


Undercover  is  written  by  an  anonymous  CSO. 
Send feedback  to  csoundercover@cxo.com. 


One  of  my  key  engineers  had  a  family 
medical  emergency  that  required  him  to 
move  out  of  state,  but  he  had  encrypted 
a  lot  of  the  files  that  the  organization  needed 
for  daily  operations. 


February  2008  www.csoonline.com  37 


[  INDUSTRY  VIEW] 

By  Yong-Gon  Chon  and  Bill  Jaeger 


Operation  Combination 

Looking  for  cost  savings  and  better  security?  Merging  network 
and  security  operation  centers  could  deliver. 


Network  operation  centers 
(NOCs)  and  security  opera¬ 
tion  centers  (SOCs)  are  the 
critical  IT  nerve  centers  of 
public  and  private  enter¬ 
prises  throughout  the  world.  Historically, 
NOCs  and  SOCs  functioned  as  separate 
entities  serving  different  missions.  The 
NOC’s  purpose  has  always  been  to  ensure 
“power,  ping  and  pipe”  to  computing 
resources  and  is  critically  measured  on 
uptime  service-level  agreements  (SLAs). 
Conversely,  the  SOC’s  purpose  has  been  to 
“protect,  detect,  react  and  recover”  and  is 
critically  measured  on  response  time  SLAs. 
Combined,  these  operations  serve  as  both 
central  nervous  and  immune  systems  to 
ensure  the  availability  and  integrity  of  IT 
assets.  A  variety  of  factors  routinely  put 
these  IT  assets  at  risk,  from  staff  attrition, 
skill  deprecation  and  rising  salaries  to  regu¬ 
latory  mandates,  privacy  compromises  and 
intellectual  property  leakage.  NOCs  and 
SOCs  are  challenged  to  do  more  with  less  as 
cost-center  funding  struggles  to  pace  busi¬ 
ness  growth.  Leveraging  common  NOC  and 
SOC  characteristics  to  build  a  single  group 
responsible  for  both  functions  can  make 
limited  budget  dollars  go  farther  and  yield 
operational  efficiencies. 

NOCs  and  SOCs  tend  to  have  a  similar 
operational  structure,  with  both  staffed 
using  tiered  call  centers,  monitoring  and 
response  teams.  Junior  analysts  form  the 
backbone  of  tier  l  and  are  responsible  for 
work  orders,  real-time  monitoring,  call 
handling  and  initial  identification  and  tri¬ 
age  of  detected  and  reported  events.  Events 
that  can’t  be  triaged  are  escalated  to  senior, 
tier  2  staff  for  more  detailed  review  and 
resolution.  Tier  3  subject-matter  experts 
serve  as  the  final  escalation  point  for  the 


most  complex  of  issues.  Core  knowledge  is 
also  shared  by  the  staff,  such  as  complying 
with  SLAs,  event  escalation,  internetwork¬ 
ing  fundamentals  and  troubleshooting. 

NOC  and  SOC  infrastructures  and 
operations  also  share  some  common  fea¬ 
tures.  Both  require  analyst  workstations, 
call  routing  and  management  systems, 
facilities,  service-level  agreements,  stan¬ 
dard  operating  procedures,  workflow  and 
trouble  ticketing.  Some  shared  monitor¬ 
ing  technologies  may  also  be  used,  such  as 
network-based  anomaly  detection,  to  warn 

Leveraging  common 
NOC  and  SOC 
characteristics  can 
make  limited 
budget  dollars 
go  farther. 

of  unusual  network  behavior,  or  recurring 
health  checks  to  ensure  that  critical  devices 
are  available.  Rounding  out  the  list  are  dual- 
use  technologies  that  both  NOCs  and  SOCs 
feel  they  should  exclusively  own— such  as 
firewall,  DNS,  proxy,  remote  access  and 
VPN  (virtual  private  network)  servers. 

There  are  differences  too.  Required  staff 
skills  diverge  beyond  tier  1.  Senior  NOC 
staff  require  proficiency  in  network  engi¬ 
neering,  while  senior  SOC  staff  require 
security  engineering.  The  tools  and  tech¬ 
niques  used  for  monitoring  and  event  anal¬ 
ysis  differ.  For  example,  a  NOC  analyst  may 
interpret  an  event  indicating  a  device  out¬ 
age  as  an  indicator  of  hardware  failure.  A 
SOC  analyst  may  interpret  that  same  event 
as  an  indicator  of  a  compromised  device. 


In  other  cases,  high  bandwidth  utilization 
due  to  legitimate  traffic  may  cause  the  NOC 
to  immediately  take  steps  to  ensure  avail¬ 
ability,  whereas  the  SOC  may  first  question 
the  validity  of  the  traffic  spike,  then  close 
the  ticket  as  a  nonevent.  The  convergence 
of  NOC  and  SOC  enables  two  previously 
disparate  organizations  to  collaborate  more 
effectively  in  making  these  everyday  opera¬ 
tional  decisions. 

Beyond  the  obvious  annualized  savings 
through  elimination  of  redundant  opera¬ 
tional  infrastructure  and  tier  1  staff,  the 
introduction  of  a  single,  integrated  point 
of  contact  for  all  network  and  IT  security 
events  can  provide  cost  efficiencies.  Users 
will  no  longer  question  whom  to  call  when 
there’s  something  strange  in  the  neigh¬ 
borhood.  Analysts  will  no  longer  need  to 
cross  reporting  structures  or  navigate  the 
political  quagmire  to  investigate  events  that 
traverse  network  and/or  security  devices. 
Service  levels  can  also  benefit  from  a  unified 
NOC/SOC  through  improved  communica¬ 
tion  and  increased  situational  awareness. 
Incident  response  time  is  reduced  as  a 
single  group  owns  both  the  capability  and 
responsibility  for  enacting  mitigating  mea¬ 
sures.  Additionally,  staff  attrition  rates 
may  also  be  reduced  by  supplying  greater 
career  paths  across  networking  and  secu¬ 
rity,  thereby  enabling  your  organization  to 
retain  critical  tribal  knowledge  and  main¬ 
tain  operational  stability. 

Though  not  a  panacea,  integrated  net¬ 
work  and  security  monitoring,  manage¬ 
ment  and  response  capabilities  bring  both 
self-aware  and  self-defending  networks 
closer  to  reality.  ■ 


Yong-Gon  Chon  and  Bill  Jaeger  are  executives 
at  information  assurance  company  Securelnfo. 


38  www.csoonline.com  February  2008 


I  Compliance 


Building  Privacy  &  Security  Into 
Your  Organization 


The  CSO  Executive  Seminar  Series  on™ 


BUSINESS  RISK  LEADERSHIP 


Thank  you  to  our  Los  Angeles  sponsors. 


Platinum  Sponsors: 

Novell.  Oprote9rity 


Gold  Sponsors: 


■ 

^  APPLIED 

fl  IDENTITY 


networks 


NetVision"  0  ounce  labs 


Silver  Sponsors: 


2008  Corporate 
Events  Partners: 


A  APPLIED 

il  IDENTITY 


Aveksa 


^fishnet 

SECURITY 


NetVision 
Q  protegrity 

©SailPoinf 

IDENTITY  RISK  MANAGEMENT 


Join  your  security  executive  peers  at  one  of  our 
upcoming  events.  View  the  2008  conference 
calendar  at  www.CSOonline.com/conferences. 


[  debriefing] 


Keys  to  the  Castle 


1.  How  old  is  the  oldest  known 
set  of  locks  and  keys? 

a.  900  years  b.  1,500  years  c.  4,000  years  d.  7,000  years 

2.  True  or  False:  King  Henry  VIII 
employed  a  personal  locksmith. 

3.  Which  name  does  not  belong 
to  a  real  locksmith? 

a.  Yale  b.  Chubb  c.  Louis  XVI  d.Lockyer 

4.  Which  of  the  following  does  not  include 
some  reference  to  keys  and  locks? 

a.  The  ceiling  frescoes  of  St.  Eligius  Church  in  Rome 

b.  “The  Bayeux  Tapestry” 

c.  Homer’s  Odyssey 

d.  The  United  States  Constitution 

e.  The  Old  Testament’s  Song  of  Songs 

5.  Draw  a  line  from  locksmithing  innovation 
to  the  culture  that  invented  it  and  then 

to  the  era  in  which  it  was  invented 


Innovation 

People 

Time 

a.  Pin-and-tumbler  locks 

1.  Scotch 

i.  Remote  Antiquity 

b.  Padlocks  with  spring 

2.  Viking 

ii.  A.D.  1831 

mechanism 

c.  Keyless  combination 

3.  Chinese 

iii.A.D.  850 

locks 

d.  Time-controlled 

4.  Egyptian 

iv.  4000  B.C. 

release  lock 

6.  Identify  which  of  the  following  refers  to  the 
first  known  published  guide  to  lock  picking: 

a.  1898,  when  Linus  Yale  Jr.  published  the  secrets  to  his  massively 
successful  pin-and-tumbler  lock  in  order  to  force  customers  to  buy  a 
new,  more  secure  version 

b.  1790,  when  Joseph  Bramah  explained  how  virtually  any  lock  could  be 
compromised  with  just  a  blank  key  and  some  wax 

c.  Third  century  B.C.,  when  Callimachus,  in  his  Hymn  to  Ceres,  included 
several  verses  that  explained  how  to  “craft  a  special  key  to  unlock 
your  enemy’s  house" 

d.  A.D.  1100,  when  the  Church  of  St.  Eligius  in  Rome  was  built,  and 
artisans  painted  lock-picking  scenes  in  the  ceiling  frescoes 

7.  True  or  False:  Keys  were  worn 
as  jewelry  in  Ancient  Rome. 

8.  About  how  many  patents  on  locking  devices 
were  issued  in  the  United  States  before  1920? 

a.  7  b.  155  c.  900  d.  3,000 

BONUS  QUESTION:  According  to  a  Jewish 
proverb,  whom  do  locks  keep  out? 


./jsauoq  am  A|uo„  suopsenO 
snuog  p  *8  -sj3>pod  3abl)  j.upip  saqjop  uewoa  sows  ‘saoe|>p3u  jo  sSuu  sc 
Aiiensn'aruiY  q-9  !!-I-p‘!-£-3‘!!!-Z-q‘A!-fr-e‘S  P'P  P’E  ‘sapoi  |euosj3d 
umo  s;q  qj|M  aauapisau  s.iq  ijjjno  pue  uopeupsap  e  je  ieauje  s,3uj»  aqi  apaaajd 
PinOM  3q  PUE  SUjEUlOa  AJU3H  SEM  3UJEU  SjH  '3nJl  • z  -bEJ|  UJBipJON  U|  MOU  ‘psqs 
-sjoqx  uj  ||  uoSjbs  JOJddiua  jo  aaeied  aqj  o)  3uo|sq  Aaqi  -a  *i  SU3MSNV 


How’d 
You  DO? 


0-3  Correct:  Picked 

4-7  Correct:  Pinned  and  Tumbled 

8-9  Correct:  Deadbolted 


40  www.csoonline.com  February  2008 


Photo  by  iStockphoto 


For  top  security 
in  both  physical 
and  logical 

O' 

access  control, 


We’ve  got  the  credentials. 

/ 


With  HID’s  Crescendo™  line,  the  world  leader 
in  physical  access  can  now  provide  logical 
access  on  the  same  credential. 


HID  has  earned  its  reputation  with  the  unmatched 
performance  of  millions  of  access  control  cards  and  readers  all  over  the  world. 
Now,  our  Crescendo  solutions  extend  the  same  expertise  to  controlling  access 
to  your  PC  or  network -and  the  technology  can  be  combined  with  your  existing 
physical  access  control  system.  Whether  it’s  doors  or  Windows®  HID  knows 
that  rock -solid  security  and  reliability  are  the  key.  Microsoft. 

Crescendo  simply  adds  to  our  credentials.  Identity  Lifecycle 

,  —  -  Manager  2007 

To  request  a  Crescendo  Evaluation  Kit,  visit  WWW.hldglobal. com/crescendo 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


“I  am  fearless. 


I  protect  a  2  billion  dollar  retail  business. 


I  believe  security  should  enable 
business  growth  not  limit  it. 

I  focus  on  what’s  important. 

I  lead. 

I  innovate. 

I  win. 


I  am  fearless.” 


When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail.  But  few  can  imagine 
what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move  your  business 
forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the  Fortune  500. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/kayak  The  Security  Division  of  EMC 


RSA 


Secure  Anytime 
Anywhere  Access 


Protect 

Customer  Identities 


Secure 

Enterprise  Data 


Manage  Compliance 
and  Security  Information 


